Security Incidents mailing list archives
Re: More fun stuff from demon internet (ICMP/120 ?)
From: thomas () 88 NET (thomas lakofski)
Date: Fri, 12 May 2000 17:57:31 +0100
I think these things are a common problem. For any legitimate connection it seems that often you'll receive a bogus tcp or udp or icmp packet. Can't be munging packets completely, or they'd never get to me (although i guess there could be many I don't see...), but a few of the headers get swapped about or otherwise corrupted. I asked them about it via their comments submission page (since i couldn't find an address for their network operations centre or equivalent) and they claimed that they have no broken hardware ('we use the latest cisco's...' etc), to which i replied with lots of logs showing packet munging. No reply as yet (since 20000504). I don't want to put the guy's address in this mail. however, if any incidents readers feel like contributing similar logging information to bring some weight to these concerns, drop me a line. maybe we can make something happen to this 'fount of munged packets' as i seem to remember it being referred to in a previous incidents mail. cheers, thomas On Tue, 9 May 2000, Ed Padin wrote:
I just saw the following hit my firewall: DATE: May,9,13:54:29 DIRECTION: fw-in ACTION: deny INTERFACE: eth1 DESCRIPTION: Internet PROTOCOL: icmp/120 SOURCE IP: 195.11.172.80 DESTINATION IP: 216.89.84.21 SOURCE PORT: N/A DESTINATION PORT: N/A LENGTH: 84 TYPE: 0x00 ID: 40927 TTL: 0x0000 OPT: 246 icmp/120? I'm pretty sure that ICMP types greater than 37 are reserved. Anybody got any ideas what this may be? I wish I had grabbed the packet data.
...... who's watching your watchmen? EF D8 33 68 B3 E3 E9 D2 C1 3E 51 22 8A AA 7B 98
Current thread:
- More fun stuff from demon internet (ICMP/120 ?) Ed Padin (May 09)
- source port zero scans against DNS servers dorqus (May 12)
- Re: More fun stuff from demon internet (ICMP/120 ?) thomas lakofski (May 12)