Re: BAD TRAFFIC 0 ttl

[Jason Dixon <jasondixon () myrealbox com>]

http://www.networkcomputing.com/906/906ws22.html

-Jason

On Fri, 2002-08-23 at 09:15, seren geti wrote:
> Hello all,
>
> I've had this same pattern of traffic appear inside my network on four different occasions and I've found no answer 
> as to what it is, I'm hoping someone here has seen something similar.
>
> This always happens over the midnight hour.  The only things that vary are the length of time and number of different 
> destination IPs.  The destinations are always #.0.1.15.  The source is usually 218 or 65.0.1.0, but always #.0.1.0.   
> The packet data is always the same.
>
> Samples follow.  Any thoughts are greatly appreciated.
>
> Thanks!
>
> Aug 22 23:43:00 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {IGP} 
> 218.0.1.0 -> 14.0.1.15
> Aug 22 23:55:00 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {IGP} 
> 218.0.1.0 -> 8.0.1.15
> Aug 22 23:57:23 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: 
> {SCC-SP} 135.222.10.2 -> 24.175.0.0
> Aug 22 23:58:47 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: 
> {MERIT-INP} 183.144.10.2 -> 29.90.0.0
> Aug 23 00:06:04 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {SEP} 
> 65.0.1.0 -> 3.0.1.15
> Aug 23 00:07:00 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {IGP} 
> 218.0.1.0 -> 4.0.1.15
> Aug 23 00:30:00 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {SEP} 
> 65.0.1.0 -> 3.0.1.15
> Aug 23 00:31:00 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {IGP} 
> 218.0.1.0 -> 11.0.1.15
> Aug 23 00:42:01 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {SEP} 
> 65.0.1.0 -> 7.0.1.15
> Aug 23 00:43:01 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {IGP} 
> 218.0.1.0 -> 0.0.1.15
> Aug 23 00:54:02 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {SEP} 
> 65.0.1.0 -> 0.0.1.15
> Aug 23 00:55:00 xxx snort[26915]: [1:1321:5] BAD TRAFFIC 0 ttl [Classification: Misc activity] [Priority: 3]: {IGP} 
> 218.0.1.0 -> 4.0.1.15
>
>
>
> [**] BAD TRAFFIC 0 ttl [**]
> 08/23-00:06:04.127670 65.0.1.0 -> 3.0.1.15
> SEP TTL:0 TOS:0x0 ID:64698 IpLen:20 DgmLen:229
> Frag Offset: 0x142   Frag Size: 0xD1
> 00 8A 00 8A 00 D1 14 2B 11 1A 9B D4 0A 02 18 20  .......+.......
> 00 8A 00 BB 00 00 20 45 48 45 4F 46 4A 45 4D 46  ...... EHEOFJEMF
> 49 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43  ICACACACACACACAC
> 41 43 41 43 41 43 41 00 20 45 4E 45 44 45 4D 45  ACACACA. ENEDEME
> 45 46 46 46 44 45 42 43 41 43 41 43 41 43 41 43  EFFFDEBCACACACAC
> 41 43 41 43 41 43 41 42 4E 00 FF 53 4D 42 25 00  ACACACABN..SMB%.
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 11 00 00 21 00 00  .............!..
> 00 00 00 00 00 00 00 E8 03 00 00 00 00 00 00 00  ................
> 00 21 00 56 00 03 00 01 00 00 00 02 00 32 00 5C  .!.V.........2.\
> 4D 41 49 4C 53 4C 4F 54 5C 42 52 4F 57 53 45 00  MAILSLOT\BROWSE.
> 01 00 80 FC 0A 00 47 4E 59 4C 58 00 00 00 00 00  ......GNYLX.....
> 00 00 00 00 00 00 04 00 03 10 00 00 0F 01 55 AA  ..............U.
> 00                                               .
>
>
>
> _____________________________________________________________
> Want a new web-based email account ? ---> http://www.firstlinux.net
>
> _____________________________________________________________
> Promote your group and strengthen ties to your members with email () yourgroup org by Everyone.net  
> http://www.everyone.net/?btn=tag
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com