Security Incidents mailing list archives
Re: echo requests, 1480 bytes
From: mixmaster () REMAIL OBSCURA COM (Mixmaster)
Date: Sat, 19 Feb 2000 01:36:22 -0800
Big echo packets like this going out of our network set off our IDS sniffer here. It turns out they were coming from Macintosh PC's, with one big echo request sent to a web server at the same time they opened an HTTP connection. The payload was always all 0's. We checked a couple of the Macs doing it and they had not been compromised, and the users weren't doing anything to cause it, so I'm guessing it's some kind of MTU discovery "feature" of MacOS. thomas lakofski wrote:
i've been seeing the following recently: Feb 3 06:24:30 oi iplog[20316]: ICMP: echo from ns-norva.navy.mil (1480 bytes) Feb 3 16:13:50 oi iplog[20316]: ICMP: echo from cismhp.univ-lyon1.fr (1480 bytes) Feb 4 08:15:32 oi iplog[20316]: ICMP: echo from stone.gocis.bg (1480 bytes) Feb 7 15:21:37 oi iplog[20316]: ICMP: echo from 209.213.81.134 (1480 bytes)
Current thread:
- Re: echo requests, 1480 bytes, (continued)
- Re: echo requests, 1480 bytes Brett Glass (Feb 09)
- Re: echo requests, 1480 bytes James Lohman (Feb 10)
- Re: echo requests, 1480 bytes Marc Slemko (Feb 15)
- Re: echo requests, 1480 bytes James Lohman (Feb 10)
- twinkie Vasiliy Kuznetsov (Feb 15)
- Re: twinkie Przemyslaw Frasunek (Feb 16)
- Re: twinkie Pavel Kankovsky (Feb 17)
- Re: echo requests, 1480 bytes Przemyslaw Frasunek (Feb 15)
- Re: echo requests, 1480 bytes Ron Gula (Feb 11)
- Re: echo requests, 1480 bytes Omachonu Ogali (Feb 15)
- Re: echo requests, 1480 bytes Donald McLachlan (Feb 16)
- Re: echo requests, 1480 bytes Mixmaster (Feb 19)
- Re: echo requests, 1480 bytes Fengor Wolfsclaw (Feb 22)
- Re: echo requests, 1480 bytes Brett Glass (Feb 09)