Security Incidents mailing list archives
Re: echo requests, 1480 bytes
From: rgula () SECURITYWIZARDS COM (Ron Gula)
Date: Fri, 11 Feb 2000 07:33:59 -0800
Thomas, What catches my eye in your message is:Feb 3 06:24:30 oi iplog[20316]: ICMP: echo from ns-norva.navy.mil (1480bytes)Does anyone know what these folks are up to? I usually see an echo request from them, followed by an ICMP source quench. Very odd. Don
We have seen several sites monitored by the Dragon IDS pick up this packet. It is spooed as certain fields in the ICMP and IP headers never change. Someone probably compiled an ICMP spoofer and used a the length of their buffer as the length of their packet. I'd post a copy of the packet, but I don't have permission from the customer at the moment. It's a payload of all zeros after the ICMP header. Ron Gula, CTO. Network Security Wizards, Inc. http://www.securitywizards.com
Current thread:
- Re: echo requests, 1480 bytes Donald McLachlan (Feb 09)
- Ports 41508, 41524 & 41531 Aronius, Joakim (Feb 09)
- Re: Ports 41508, 41524 & 41531 Rick Ballard (Feb 10)
- Re: echo requests, 1480 bytes Brett Glass (Feb 09)
- Re: echo requests, 1480 bytes James Lohman (Feb 10)
- Re: echo requests, 1480 bytes Marc Slemko (Feb 15)
- Re: echo requests, 1480 bytes James Lohman (Feb 10)
- twinkie Vasiliy Kuznetsov (Feb 15)
- Re: twinkie Przemyslaw Frasunek (Feb 16)
- Re: twinkie Pavel Kankovsky (Feb 17)
- Re: echo requests, 1480 bytes Przemyslaw Frasunek (Feb 15)
- <Possible follow-ups>
- Re: echo requests, 1480 bytes Ron Gula (Feb 11)
- Re: echo requests, 1480 bytes Omachonu Ogali (Feb 15)
- Re: echo requests, 1480 bytes Donald McLachlan (Feb 16)
- Re: echo requests, 1480 bytes Mixmaster (Feb 19)
- Re: echo requests, 1480 bytes Fengor Wolfsclaw (Feb 22)
- Ports 41508, 41524 & 41531 Aronius, Joakim (Feb 09)