Firewall Wizards mailing list archives
RE: big ICMP size
From: "Ofir Arkin" <ofir () itcon-ltd com>
Date: Wed, 4 Oct 2000 15:59:36 +0200
Darren, This is the trace of HPUX 11.0x PMTU discovery process kicking my LINUX test box: 00:27:57.435620 ppp0 < x.x.x.x > y.y.y.y : icmp: echo request (DF) (ttl 236, id 41985) 4500 05dc a401 4000 ec01 d909 xxxx xxxx yyyy yyyy 0800 7e52 9abc def0 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 .... This one is from AIX 4.3.x (from lance spitzner web site): [**] IDS246 - MISC - Large ICMP Packet [**] 06/23-20:48:34.516346 x.x.x.x -> x.x.x.x ICMP TTL:239 TOS:0x0 ID:15191 DF ID:39612 Seq:57072 ECHO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ They are legit. Operating systems I know who do that are HPUX 10.30 and 11.0x and AIX 4.3.x. Ofir Arkin [ofir () itcon-ltd com] Senior Security Analyst Chief of Grey Hats ITcon, Israel. http://www.itcon-ltd.com Personal Web page: http://www.sys-security.com "Opinions expressed do not necessarily represent the views of my employer." -----Original Message----- From: firewall-wizards-admin () nfr net [mailto:firewall-wizards-admin () nfr net]On Behalf Of Darren Reed Sent: Wednesday, October 04, 2000 12:53 AM To: bugiu Cc: firewall-wizards () nfr net Subject: Re: [fw-wiz] big ICMP size In some email I received from bugiu, sie wrote:
Hi admins , I have a distributed source attack with ICMP type 8 pack, size =1500 and flag don't fragment set (DF) from a number of 8-10 sites. The default policy discards this requests, but before contacting the admins of this sites, do you know any similar reports or modified binary that generates this type of traffic ? here is a log extract of this activity : -----------------------//////// Sep 21 11:00:20 iplist kernel: Packet log: input DENY eth0 PROTO=1 SS.SS.SS.SS:8 193.230.133.6:0 L=1500 S=0x00 I=36059 F=0x4000 T=233 -------------------------/////// 11:38:03.748034 212.206.88.45 > bamse.osim.ro: icmp: echo request (DF) (ttl 234, id 3266) 4500 05dc 0cc2 4000 ea01 0a76 SSSS SSSS c1e6 8506 0800 f7ff 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
That looks unlike ping because the data bytes are all 0's rather than a pattern...but depending on your version of ping: ping -s 1500 bamse.osim.ro ping bamse.osim.ro 1500 i.e. the standard ping program can and will generate large ICMP ECHO packets if asked. Darren _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- big ICMP size bugiu (Oct 03)
- Re: big ICMP size Darren Reed (Oct 04)
- RE: big ICMP size Ofir Arkin (Oct 04)
- Re: big ICMP size thornton (Oct 09)
- RE: big ICMP size Ofir Arkin (Oct 04)
- RE: big ICMP size Ofir Arkin (Oct 04)
- Re: big ICMP size Darren Reed (Oct 04)