Re: More fun stuff from demon internet (ICMP/120 ?)

[thomas () 88 NET (thomas lakofski)]

I think these things are a common problem.  For any legitimate connection
it seems that often you'll receive a bogus tcp or udp or icmp
packet.  Can't be munging packets completely, or they'd never get to me
(although i guess there could be many I don't see...), but a few of the
headers get swapped about or otherwise corrupted.

I asked them about it via their comments submission page (since i couldn't
find an address for their network operations centre or equivalent) and
they claimed that they have no broken hardware ('we use the latest
cisco's...' etc), to which i replied with lots of logs showing packet
munging.  No reply as yet (since 20000504).

I don't want to put the guy's address in this mail.  however, if any
incidents readers feel like contributing similar logging information to
bring some weight to these concerns, drop me a line.  maybe we can make
something happen to this 'fount of munged packets' as i seem to remember
it being referred to in a previous incidents mail.

cheers,

thomas

On Tue, 9 May 2000, Ed Padin wrote:

> I just saw the following hit my firewall:
>
> DATE: May,9,13:54:29 DIRECTION: fw-in ACTION: deny
> INTERFACE: eth1 DESCRIPTION: Internet PROTOCOL: icmp/120
> SOURCE IP: 195.11.172.80 DESTINATION IP: 216.89.84.21
> SOURCE PORT: N/A DESTINATION PORT: N/A
> LENGTH: 84 TYPE: 0x00 ID: 40927 TTL: 0x0000 OPT: 246
>
>
> icmp/120?  I'm pretty sure that ICMP types greater than 37 are reserved.
> Anybody got any ideas what this may be? I wish I had grabbed the packet
> data.

......
         who's watching your watchmen?
EF D8 33 68 B3 E3 E9 D2  C1 3E 51 22 8A AA 7B 98