Strange ICMP packets

["Portnoy, Gary" <gportnoy () BELENOSINC COM>]

Hi there,

For the past few days, i've been seeing a lot of strange ICMP packets
blocked by my firewall.  The strangeness is in the fact that they appear
to be ICMP packets (IP protocol=1), but there is no ICMP payload...
They come at the rate of about 2-3 per second, the source IP always
different, never repeating...  For some reason Checkpoint reports it as
icmp-type 8 code 0 (Echo Request), but there is nothing in the packet
that can confirm that.  I am guessing it's a checkpoint bug...  I got
the following two packet captures using snoop, one is of the strange
packet that I am talking about, and the other is of me generating an
echo request (notice the ICMP section in the second, but not the
first)....

Suspect packet:

ETHER:  ----- Ether Header -----
ETHER:
ETHER:  Packet 1 arrived at 17:05:16.57
ETHER:  Packet size = 60 bytes
ETHER:  Destination = 8:0:20:d9:22:e8, Sun
ETHER:  Source      = 0:2:4b:d2:cf:c0,
ETHER:  Ethertype = 0800 (IP)
ETHER:
IP:   ----- IP Header -----
IP:
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:   Total length = 28 bytes
IP:   Identification = 62524
IP:   Flags = 0x0
IP:         .0.. .... = may fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 117 seconds/hops
IP:   Protocol = 1 (ICMP)
IP:   Header checksum = f4db
IP:   Source address = 216.45.66.230, 216.45.66.230
IP:   Destination address = x.y.z.196, x.y.z.196
IP:   No options
IP:

Normal echo request:

ETHER:  ----- Ether Header -----
ETHER:
ETHER:  Packet 5 arrived at 17:05:46.57
ETHER:  Packet size = 74 bytes
ETHER:  Destination = 8:0:20:d9:22:e8, Sun
ETHER:  Source      = 0:2:4b:d2:cf:c0,
ETHER:  Ethertype = 0800 (IP)
ETHER:
IP:   ----- IP Header -----
IP:
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:   Total length = 60 bytes
IP:   Identification = 14412
IP:   Flags = 0x0
IP:         .0.. .... = may fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 19 seconds/hops
IP:   Protocol = 1 (ICMP)
IP:   Header checksum = 7c67
IP:   Source address = a.b.c.62, a.b.c.62
IP:   Destination address = x.y.z.196, x.y.z.196
IP:   No options
IP:
ICMP:  ----- ICMP Header -----
ICMP:
ICMP:  Type = 8 (Echo request)
ICMP:  Code = 0
ICMP:  Checksum = c856
ICMP:

Any ideas?

Gary Portnoy
Network Administrator
617-345-6252
gportnoy () belenosinc com
www.belenosinc.com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C

Attachment: smime.p7s
Description: