Security Incidents mailing list archives
ICMP Src IP = Dst IP (not a Land attack)
From: <mtoren () hotmail com>
Date: 21 Feb 2002 18:41:33 -0000
This is an IMCP Fragmentation Needed/DF set message, but the source and destination IP addresses are the same. This is not a land attack, as it is ICMP. This is the external IP of an Arrowpoint (Cisco CSS) load balancer. The TTL of 53 doesnt look like an initial TTL, which leads me to believe that it was not generated by the load balancer itself, or even the clients directly behind it. There are two different IP ID numbers for the six alerts (46555 and 46636). There are also two different data payloads, but notice that the payloads and IP ID number do not match for all of the alerts (i.e. the first and last alert have the same IP ID, but a different payload). This was detected with Snort, and the output is from the ACID email full alert option. Any ideas? Thanks! Monte Toren mtoren () hotmail com ------------------------------------------------------------------ ------------ #(2 - 30338) [2002-02-20 14:59:28] MISC same SRC/DST IPv4: AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD hlen=5 TOS=0 dlen=28 ID=46555 flags=0 offset=0 TTL=53 chksum=6190 ICMP: type=Destination Unreachable code=Fragmentation Needed/DF set checksum=59284 id= seq= Payload: length = 4 000 : 59 60 BC 06 Y`.. ------------------------------------------------------------------ ------------ #(2 - 30339) [2002-02-20 14:59:28] MISC same SRC/DST IPv4: AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD hlen=5 TOS=0 dlen=28 ID=46555 flags=0 offset=0 TTL=53 chksum=6190 ICMP: type=Destination Unreachable code=Fragmentation Needed/DF set checksum=59284 id= seq= Payload: length = 4 000 : 59 60 BC 06 Y`.. ------------------------------------------------------------------ ------------ #(2 - 30340) [2002-02-20 14:59:29] MISC same SRC/DST IPv4: AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD hlen=5 TOS=0 dlen=28 ID=46636 flags=0 offset=0 TTL=53 chksum=6109 ICMP: type=Destination Unreachable code=Fragmentation Needed/DF set checksum=11154 id= seq= Payload: length = 4 000 : 59 8A 77 DF ------------------------------------------------------------------ ------------ #(2 - 30341) [2002-02-20 14:59:29] MISC same SRC/DST IPv4: AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD hlen=5 TOS=0 dlen=28 ID=46636 flags=0 offset=0 TTL=53 chksum=6109 ICMP: type=Destination Unreachable code=Fragmentation Needed/DF set checksum=11154 id= seq= Payload: length = 4 000 : 59 8A 77 DF Y.w. ------------------------------------------------------------------ ------------ #(2 - 30342) [2002-02-20 14:59:30] MISC same SRC/DST IPv4: AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD hlen=5 TOS=0 dlen=28 ID=46655 flags=0 offset=0 TTL=53 chksum=6090 ICMP: type=Destination Unreachable code=Fragmentation Needed/DF set checksum=9693 id= seq= Payload: length = 4 000 : 59 8A 7D 94 Y.}. ------------------------------------------------------------------ ------------ #(2 - 30343) [2002-02-20 14:59:30] MISC same SRC/DST IPv4: AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD hlen=5 TOS=0 dlen=28 ID=46655 flags=0 offset=0 TTL=53 chksum=6090 ICMP: type=Destination Unreachable code=Fragmentation Needed/DF set checksum=9693 id= seq= Payload: length = 4 000 : 59 8A 7D 94 Y.}. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- ICMP Src IP = Dst IP (not a Land attack) mtoren (Feb 22)