Security Incidents mailing list archives
Protocol 255
From: "Crist J. Clark" <crist.clark () attbi com>
Date: Thu, 11 Jul 2002 14:48:00 -0700
I was looking through my SHADOW logs when I came across what I can
only call some seriously weird shit.
07f:26:40.078077 151.1.141.11 > AAA.BBB.152.0: ip-proto-255 28 (DF) (ttl 46, id 0, len 48)
0x0000 4500 0030 0000 4000 2eff c069 9701 8d0b E..0..@....i....
0x0010 AABB 9800 4500 001c 787e 0000 ff01 4363 .X..E...x~....Cc
0x0020 0000 0000 AABB 9800 0800 817f 7180 0500 .....X......q...
07:26:40.081648 151.1.141.11 > AAA.BBB.152.255: ip-proto-255 28 (DF) (ttl 46, id 0, len 48)
0x0000 4500 0030 0000 4000 2eff bf6a 9701 8d0b E..0..@....j....
0x0010 AABB 98ff 4500 001c 787e 0000 ff01 4363 .X..E...x~....Cc
0x0020 0000 0000 AABB 98ff 0800 7f7f 7280 0600 .....X......r...
07:26:40.085936 151.1.141.11 > AAA.BBB.153.0: ip-proto-255 28 (DF) (ttl 46, id 0, len 48)
0x0000 4500 0030 0000 4000 2eff bf69 9701 8d0b E..0..@....i....
0x0010 AABB 9900 4500 001c 787e 0000 ff01 4363 .X..E...x~....Cc
0x0020 0000 0000 AABB 9900 0800 7d7f 7380 0700 .....X....}.s...
07:26:40.090049 151.1.141.11 > AAA.BBB.153.255: ip-proto-255 28 (DF) (ttl 46, id 0, len 48)
0x0000 4500 0030 0000 4000 2eff be6a 9701 8d0b E..0..@....j....
0x0010 AABB 99ff 4500 001c 787e 0000 ff01 4363 .X..E...x~....Cc
0x0020 0000 0000 AABB 99ff 0800 7b7f 7480 0800 .....X....{.t...
07:26:40.096690 151.1.141.11 > AAA.BBB.154.0: ip-proto-255 28 (DF) (ttl 46, id 0, len 48)
0x0000 4500 0030 0000 4000 2eff be69 9701 8d0b E..0..@....i....
0x0010 AABB 9a00 4500 001c 787e 0000 ff01 4363 .X..E...x~....Cc
0x0020 0000 0000 AABB 9a00 0800 797f 7580 0900 .....X....y.u...
07:26:40.097397 151.1.141.11 > AAA.BBB.154.255: ip-proto-255 28 (DF) (ttl 46, id 0, len 48)
0x0000 4500 0030 0000 4000 2eff bd6a 9701 8d0b E..0..@....j....
0x0010 AABB 9aff 4500 001c 787e 0000 ff01 4363 .X..E...x~....Cc
0x0020 0000 0000 AABB 9aff 0800 777f 7680 0a00 .....X....w.v...
07:26:40.107612 151.1.141.11 > AAA.BBB.155.0: ip-proto-255 28 (DF) (ttl 46, id 0, len 48)
0x0000 4500 0030 0000 4000 2eff bd69 9701 8d0b E..0..@....i....
0x0010 AABB 9b00 4500 001c 787e 0000 ff01 4363 .X..E...x~....Cc
0x0020 0000 0000 AABB 9b00 0800 757f 7780 0b00 .....X....u.w...
07:26:40.117045 151.1.141.11 > AAA.BBB.155.255: ip-proto-255 28 (DF) (ttl 46, id 0, len 48)
0x0000 4500 0030 0000 4000 2eff bc6a 9701 8d0b E..0..@....j....
0x0010 AABB 9bff 4500 001c 787e 0000 ff01 4363 .X..E...x~....Cc
0x0020 0000 0000 AABB 9bff 0800 737f 7880 0c00 .....X....s.x...
First off, we have protocol 255 which I believed is a IANA reserved
value. The packets are aimed at the network and broadcast addresses of
consecutive C Class address blocks. OK, that's weird...
Now look at the payload. Let me zero the index on payload of that last
packet,
0x0000 4500 001c 787e 0000 ff01 4363 0000 0000
0x0010 AABB 9bff 0800 737f 7880 0c00
Look familiar? That's another IP packet in there. To be exact, that's
an ICMP echo request in there with the same destination IP as the
outer datagram, AAA.BBB.155.255, and a source of 0.0.0.0. Also note
that the echo-request identifier and sequence number fields are each
incrementing by 0x100 for each packet. That's probably evidence that
someone didn't do their host order to network order byte switching
properly.
So... What the heck _is_ that? Anyone seen anything like that before?
I've seen weird looking stuff Out There before, but this ranks up
pretty high on the weirdness scale. Oh, the IP address seems to be
from an ISP in Italy. nmap didn't identify the OS, but it looks like
it may be a Linux box from the ports and services offered?
--
Crist J. Clark | cjclark () alum mit edu
| cjclark () jhu edu
http://people.freebsd.org/~cjc/ | cjc () freebsd org
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Current thread:
- Protocol 255 Crist J. Clark (Jul 11)
- Frethem.K virus Joe Matusiewicz (Jul 15)