Re: strange icmp traffic

[globi () GRAFF COM PL (Dariusz Zmokly)]

hi !

On Tue, 11 Jan 2000, Jacob Langseth wrote:

Thank you very much for answering.

> > 203.227.180.210 -> 3.150.160.18 (IPv2) was 'echo reply'
>
> Is this verbatim?  IPv2 *can't* be right...

It is output of tool called imon. It was mentioned on letter from
securityfocus.

> As to how you saw these within your network, there are
> two possibilities:  1) the packets were source routed
> through your network (have you taken any detailed packet
> captures?) or 2) the origin of the packets are w/in your

No i haven't done it.

> network, and someone is spoofing the source address.
> Incidentally, this is the type of behaviour one might
> expect if a tfn2k client was operating on your network.

tfn2k ? Do you mean some distributed DOS software ?

> Please capture one of these packets and examine it;

Good advice I am going to do it.

> does it 1) show (loose|strict) source route options
> and 2) what does the data payload look like?  If it
> appears to be uuencoded, it could very well be tfn2k.
>
> A couple of utilities which might aid you:
>     tcpdump -> for raw packet caputure
>     ethereal -> gui to examine ip options set (reads tcpdump output)
>     pingsting -> utility for identifying most known ping traffic

I started tcpdump and will look tomorrow if it will collect any suspicious
icmp packets.

> A note about pingsting:  by default it initializes
> libpcap to only catch echo requests, while in your
> case you want to ident echo replies.  Change the
> line which looks like

Well I dont know pingsting and don't have time today to play with it today.
Mayby tomorrow.

> > badly formed ICMP packet (type=97, code=27)
> > 119.139.218.126 -> 22.178.128.16 (IPv13) was ''
>
> Potentially the targa3() implemenetation in tfn2k?  It
> initializes the packet to various random data, chooses
> to make it tcp, udp or icmp, fills in enough protocol
> information to transmit and then lets it rip.  The values
> shown above look pretty bizarre to me, anyway.

Well I see also frequent pings from our competitor. Mayby that's them ?

> NIPC has released a binary only tfn/trinoo/tfn2k/etc
> detection utility, if you trust running arbitrary
> code without the ability to inspect the source:
>     htpp://www.fbi.gov/nipc/trinoo.htm
> If tfn2k is the source, this might aid in its detection.

I read the same advisory and tried to get this utility but had problems with
accessing this site. I will try later.

> Hope this helps,

Yeah. It always helps to speak with someone and got some inspiring comments :)

have a good day !
Dariusz Zmokly