Security Incidents mailing list archives
Re: strange icmp traffic
From: jwl () POBOX COM (Jacob Langseth)
Date: Tue, 11 Jan 2000 17:49:23 -0800
Dariusz Zmokly scribed:
hi ! I have just started IMON V 0.9b and see strange things. My network is 212.160.143.0 - 212.160.143.31. How is it possible to see ICMP packets having both origin and destination set to addresses out of my network ? Does it mean that some host here has been owned ? 203.227.180.210 -> 3.150.160.18 (IPv2) was 'echo reply'
Is this verbatim? IPv2 *can't* be right... As to how you saw these within your network, there are two possibilities: 1) the packets were source routed through your network (have you taken any detailed packet captures?) or 2) the origin of the packets are w/in your network, and someone is spoofing the source address. Incidentally, this is the type of behaviour one might expect if a tfn2k client was operating on your network. Please capture one of these packets and examine it; does it 1) show (loose|strict) source route options and 2) what does the data payload look like? If it appears to be uuencoded, it could very well be tfn2k. A couple of utilities which might aid you: tcpdump -> for raw packet caputure ethereal -> gui to examine ip options set (reads tcpdump output) pingsting -> utility for identifying most known ping traffic A note about pingsting: by default it initializes libpcap to only catch echo requests, while in your case you want to ident echo replies. Change the line which looks like filter = "ip[0:1]=0x45 and ip[2:2] >= 28 and ip[2:2] <= 1500 and icmp[0:1] = 8"; To look like filter = "ip[0:1]=0x45 and ip[2:2] >= 28 and ip[2:2] <= 1500 and icmp[0:1] = 0"; (type 0, echo reply) and it *should* accomplish what you want. (disclaimer: I haven't tested this)
203.228.180.210 -> 5.140.128.16 (IPv2) was 'echo reply' 203.228.180.210 -> 5.140.128.24 (IPv2) was 'echo reply' 209.140.180.210 -> 5.140.128.24 (IPv2) was 'echo reply' 214.58.180.210 -> 5.140.128.17 (IPv2) was 'echo reply' 214.59.180.210 -> 5.141.128.16 (IPv2) was 'echo reply'
[...]
And : badly formed ICMP packet (type=96, code=50) 119.138.218.126 -> 20.173.176.18 (IPv13) was '' badly formed ICMP packet (type=97, code=27) 119.139.218.126 -> 22.178.128.16 (IPv13) was ''
Potentially the targa3() implemenetation in tfn2k? It initializes the packet to various random data, chooses to make it tcp, udp or icmp, fills in enough protocol information to transmit and then lets it rip. The values shown above look pretty bizarre to me, anyway. NIPC has released a binary only tfn/trinoo/tfn2k/etc detection utility, if you trust running arbitrary code without the ability to inspect the source: htpp://www.fbi.gov/nipc/trinoo.htm If tfn2k is the source, this might aid in its detection. Hope this helps, Jacob Langseth
Current thread:
- strange icmp traffic Dariusz Zmokly (Jan 10)
- Re: strange icmp traffic Jacob Langseth (Jan 11)
- Re: strange icmp traffic Dariusz Zmokly (Jan 12)
- Re: strange icmp traffic Jacob Langseth (Jan 11)