Security Incidents mailing list archives

Re: echo requests, 1480 bytes

From: rgula () SECURITYWIZARDS COM (Ron Gula)
Date: Fri, 11 Feb 2000 07:33:59 -0800

Thomas,

What catches my eye in your message is:

Feb  3 06:24:30 oi iplog[20316]: ICMP: echo from ns-norva.navy.mil (1480

bytes)



Does anyone know what these folks are up to?  I usually see an echo
request from them, followed by an ICMP source quench.  Very odd.

Don


We have seen several sites monitored by the Dragon IDS pick up this
packet. It is spooed as certain fields in the ICMP and IP headers
never change. Someone probably compiled an ICMP spoofer and used a
the length of their buffer as the length of their packet.

I'd post a copy of the packet, but I don't have permission from the
customer at the moment. It's a payload of all zeros after the ICMP
header.

Ron Gula, CTO.
Network Security Wizards, Inc.
http://www.securitywizards.com

Current thread:

Re: echo requests, 1480 bytes Donald McLachlan (Feb 09)
- Ports 41508, 41524 & 41531 Aronius, Joakim (Feb 09)
  - Re: Ports 41508, 41524 & 41531 Rick Ballard (Feb 10)
- Re: echo requests, 1480 bytes Brett Glass (Feb 09)
  - Re: echo requests, 1480 bytes James Lohman (Feb 10)
    - Re: echo requests, 1480 bytes Marc Slemko (Feb 15)
- twinkie Vasiliy Kuznetsov (Feb 15)
  - Re: twinkie Przemyslaw Frasunek (Feb 16)
  - Re: twinkie Pavel Kankovsky (Feb 17)
- Re: echo requests, 1480 bytes Przemyslaw Frasunek (Feb 15)
- <Possible follow-ups>
- Re: echo requests, 1480 bytes Ron Gula (Feb 11)
  - Re: echo requests, 1480 bytes Omachonu Ogali (Feb 15)
- Re: echo requests, 1480 bytes Donald McLachlan (Feb 16)
- Re: echo requests, 1480 bytes Mixmaster (Feb 19)
  - Re: echo requests, 1480 bytes Fengor Wolfsclaw (Feb 22)