Security Incidents mailing list archives

Re: echo requests, 1480 bytes

From: 9d () COSMOSDIREKT DE (Fengor Wolfsclaw)
Date: Tue, 22 Feb 2000 15:42:40 +0100


Mixmaster schrieb:

Big echo packets like this going out of our network set off our IDS
sniffer here.  It turns out they were coming from Macintosh PC's, with
one big echo request sent to a web server at the same time they opened
an HTTP connection.  The payload was always all 0's.  We checked a
couple of the Macs doing it and they had not been compromised, and the
users weren't doing anything to cause it, so I'm guessing it's some kind
of MTU discovery "feature" of MacOS.


wasn'T there a mail about something called "the mac attack" some time ago on bugtraq?
iirc it was an ddos attack that used these echo packets to multiply their traffic.

Daniel "Fengor" Brachmann

Current thread:

Re: echo requests, 1480 bytes, (continued)
- - Re: echo requests, 1480 bytes James Lohman (Feb 10)
    - Re: echo requests, 1480 bytes Marc Slemko (Feb 15)
- twinkie Vasiliy Kuznetsov (Feb 15)
  - Re: twinkie Przemyslaw Frasunek (Feb 16)
  - Re: twinkie Pavel Kankovsky (Feb 17)
- Re: echo requests, 1480 bytes Przemyslaw Frasunek (Feb 15)
- Re: echo requests, 1480 bytes Ron Gula (Feb 11)
  - Re: echo requests, 1480 bytes Omachonu Ogali (Feb 15)
- Re: echo requests, 1480 bytes Donald McLachlan (Feb 16)
- Re: echo requests, 1480 bytes Mixmaster (Feb 19)
  - Re: echo requests, 1480 bytes Fengor Wolfsclaw (Feb 22)