RE: Strange ICMP

The packets all have 36 bytes of 0x00. The checksums and IDs do not
appear visually to be crafted, at least there is no pattern I can see.
The TTL values are reasonable based on a traceroute if the initial TTL
was 64. This leads me to believe they are not generated by a Windows
machine, but more likely a Linux, FreeBSD, or *NIX.

Hmmmm!

Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant 
Buchanan Associates - A Technology Company in the People Business 

-----Original Message-----
From: Heather Flanagan [mailto:heather@xxxxxxxx] 
Sent: Tuesday, May 18, 2004 12:57 PM
To: Intrusions List (GCIA Practicals)
Subject: Re: [Intrusions] Strange ICMP

Is there anything interesting/unusual about the ping packets themselves?

-heather f.

On May 18, 2004, at 10:48 AM, Ron Shuck wrote:

> Hi,
>
> I am detecting an increased amount of ICMP Ping traffic. The strange 
> thing is that there are several sources that are hitting us about 1000

> times a week. All of these sources have a last octet of some form of 
> 36 and 37.
>
> 63.163.102.36 & 37
> 216.34.77.36 & 37
> 64.209.232.36 & 37
> 61.213.167.236 & 237
> 193.95.144.136 & 137
>
> These are from different ISPs and in a couple countries. The 
> destination is on a Cable Modem that has no inbound access. It's not 
> causing an issue, it's just anomalous.
>
> Anyone else seeing this kind of traffic, or have any ideas on the 
> origin?
>
>
> Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant Buchanan Associates

> - A Technology Company in the People Business 
> _______________________________________________
> Intrusions mailing list
> Intrusions@xxxxxxxxxxxxxx
> http://www.dshield.org/mailman/listinfo/intrusions

_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions

_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions