Snort mailing list archives

Re: Help with Misc Large ICMP Packet (snort log)

From: Rich Adamson <radamson () routers com>
Date: Wed, 10 Oct 2001 08:07:58 -0600

Wally,

I researched this same type of issue a month or so ago. Turned out this 
company is using some third-party software that attempts to load balance
multiple data centers scattered around the world by sending hugh icmp's
to customer sites (yours), and measuring the responsiveness (and probably
the TTL) from each of their data centers. You should see these same type 
packets arriving from multiple source IPs, and recur at regular intervals.

If you chase that a little further by researching the source IP's, you'll
find this company has purchased several other companies (presumable 
some .com's that apparently couldn't make it). You are receiving those
icmp's because someone at your site visited their site at some earlier
time, and their infrastructure is now attempting to load balance their
data center traffic.

Rich

------------------------

Hello,
Our snort log has been kicking these out for a couple of days.  I get about 300 a day from misc

addresses spread all over the Internet.  The packed says to

respond to ops () digisle com, but of course I get no response.  Is this a false positive of some kind?  I

thought at first is monitoring software but I'm getting so

many that I'm starting to wonder.

Thanks in advance.

Wally Hass

[**] MISC Large ICMP Packet [**]
10/10-03:04:34.984262 216.44.45.4 -> 216.217.xx.x
ICMP TTL:239 TOS:0x0 ID:25401 IpLen:20 DgmLen:1020 DF
Type:8  Code:0  ID:22272   Seq:22752  ECHO
6D 61 69 6C 74 6F 3A 6F 70 73 40 64 69 67 69 73  mailto:ops@digis
6C 65 2E 63 6F 6D 20 66 6F 72 20 71 75 65 73 74  le.com for quest
69 6F 6E 73 20 20 20 20 54 68 69 73 20 49 43 4D  ions    This ICM
50 20 45 43 48 4F 20 52 45 51 55 45 53 54 2F 52  P ECHO REQUEST/R
45 50 4C 59 20 69 73 20 70 61 72 74 20 6F 66 20  EPLY is part of
74 68 65 20 72 65 61 6C 2D 74 69 6D 65 20 6E 65  the real-time ne
74 77 6F 72 6B 20 6D 6F 6E 69 74 6F 72 69 6E 67  twork monitoring
70 65 72 66 6F 72 6D 65 64 20 62 79 20 44 69 67  performed by Dig
69 74 61 6C 20 49 73 6C 61 6E 64 20 49 6E 63 2E  ital Island Inc.
20 20 49 74 20 69 73 20 6E 6F 74 20 61 6E 20 61    It is not an a
74 74 61 63 6B 2E 20 20 49 66 20 79 6F 75 20 68  ttack.  If you h
61 76 65 71 75 65 73 74 69 6F 6E 73 20 70 6C 65  avequestions ple
61 73 65 20 63 6F 6E 74 61 63 74 20 6F 70 73 40  ase contact ops@
64 69 67 69 73 6C 65 2E 63 6F 6D 00 00 00 00 00  digisle.com.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

---------------End of Original Message-----------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Help with Misc Large ICMP Packet (snort log) Wally Hass (Oct 10)
- Re: Help with Misc Large ICMP Packet (snort log) Rich Adamson (Oct 10)