ICMP Src IP = Dst IP (not a Land attack)

[<mtoren () hotmail com>]

This is an IMCP “Fragmentation Needed/DF set” 
message, but the source and destination IP 
addresses are the same.  This is not a land 
attack, as it is ICMP.

This is the external IP of an Arrowpoint (Cisco 
CSS) load balancer.   The TTL of 53 doesn’t look 
like an initial TTL, which leads me to believe that 
it was not generated by the load balancer itself, 
or even the clients directly behind it.  There are 
two different IP ID numbers for the six alerts 
(46555 and 46636).  There are also two different 
data payloads, but notice that the payloads and 
IP ID number do not match for all of the alerts (i.e. 
the first and last alert have the same IP ID, but a 
different payload).

This was detected with Snort, and the output is 
from the ACID ‘email full alert’ option.

Any ideas?

Thanks!
Monte Toren
mtoren () hotmail com

------------------------------------------------------------------
------------
#(2 - 30338) [2002-02-20 14:59:28]  MISC same 
SRC/DST
IPv4: AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD
      hlen=5 TOS=0 dlen=28 ID=46555 flags=0 
offset=0 TTL=53 chksum=6190
ICMP: type=Destination Unreachable 
code=Fragmentation Needed/DF set
      checksum=59284 id= seq=
Payload:  length = 4

000 : 59 60 BC 06                                       Y`..

------------------------------------------------------------------
------------
#(2 - 30339) [2002-02-20 14:59:28]  MISC same 
SRC/DST
IPv4: AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD
      hlen=5 TOS=0 dlen=28 ID=46555 flags=0 
offset=0 TTL=53 chksum=6190
ICMP: type=Destination Unreachable 
code=Fragmentation Needed/DF set
      checksum=59284 id= seq=
Payload:  length = 4

000 : 59 60 BC 06                                       Y`..

------------------------------------------------------------------
------------
#(2 - 30340) [2002-02-20 14:59:29]  MISC same 
SRC/DST
IPv4: AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD
      hlen=5 TOS=0 dlen=28 ID=46636 flags=0 
offset=0 TTL=53 chksum=6109
ICMP: type=Destination Unreachable 
code=Fragmentation Needed/DF set
      checksum=11154 id= seq=
Payload:  length = 4

000 : 59 8A 77 DF                 
------------------------------------------------------------------
------------
#(2 - 30341) [2002-02-20 14:59:29]  MISC same 
SRC/DST
IPv4: AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD
      hlen=5 TOS=0 dlen=28 ID=46636 flags=0 
offset=0 TTL=53 chksum=6109
ICMP: type=Destination Unreachable 
code=Fragmentation Needed/DF set
      checksum=11154 id= seq=
Payload:  length = 4

000 : 59 8A 77 DF                                       Y.w.

------------------------------------------------------------------
------------
#(2 - 30342) [2002-02-20 14:59:30]  MISC same 
SRC/DST
IPv4: AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD
      hlen=5 TOS=0 dlen=28 ID=46655 flags=0 
offset=0 TTL=53 chksum=6090
ICMP: type=Destination Unreachable 
code=Fragmentation Needed/DF set
      checksum=9693 id= seq=
Payload:  length = 4

000 : 59 8A 7D 94                                       Y.}.

------------------------------------------------------------------
------------
#(2 - 30343) [2002-02-20 14:59:30]  MISC same 
SRC/DST
IPv4: AAA.BBB.CCC.DDD -> AAA.BBB.CCC.DDD
      hlen=5 TOS=0 dlen=28 ID=46655 flags=0 
offset=0 TTL=53 chksum=6090
ICMP: type=Destination Unreachable 
code=Fragmentation Needed/DF set
      checksum=9693 id= seq=
Payload:  length = 4

000 : 59 8A 7D 94                                       Y.}.





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com