RE: Bizarre traffic

["David Gillett" <gillettdavid () fhda edu>]

  A bad NIC is one of the other possibilities on my list. 

  I have difficulty imagining a router or switch doing this
*only* to a specific client machine.

David Gillett


> -----Original Message-----
> From: Brian Rectanus [mailto:brectanu () gmail com] 
> Sent: Friday, February 10, 2006 9:15 PM
> To: incidents () securityfocus com
> Subject: Re: Bizarre traffic
>
> With it cooresponding to network disruptions, similar IPs on 
> your net and conversations looking normal otherwise, have you 
> considered it a router/switch corrupting packets?  Or even 
> the a bad NIC in a machine?
>
> -B
>
> On 2/9/06, David Gillett <gillettdavid () fhda edu> wrote:
> >   Does anybody know of anything (malware, hackware, other?) 
> that would 
> > cause a machine to put out traffic with the first octet of the 
> > destination address (re)set to ZERO?
> >
> >   The traffic I saw all was headed for port 443, and wasn't 
> > decipherable.  The variation in packet size looked like a real 
> > conversation, although return packets (if any) weren't passing my 
> > sniffer.  The destination addresses, sans the bogus first octet, 
> > looked like addresses of a couple of real internal servers (source 
> > address was internal) -- which, however, do not have HTTPS service 
> > active.
> >
> >   [This traffic correlated with various intermittent disruptions of 
> > our network, which stopped when the source machine dropped off the 
> > network.  It later reappeared -- and so did a brief 
> disruption -- long 
> > enough for me to pinpoint and ban it.]
> >
> > David Gillett