'Re: [Q] What could cause these?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ids
Subject:    Re: [Q] What could cause these?
From:       Mark Elliott <marke () cwhost ! com>
Date:       2001-01-24 1:27:30
[Download RAW message or body]

Try http://www.sys-security.com  my mind was elsewhere yesterday :-)

---------- Original Message ----------------------------------
From: "Ashworth, Robert C. [Contractor]" <ashwortr@spawar.navy.mil>
Date: Tue, 23 Jan 2001 08:43:20 -0500

I tried to access the site but couldn't... is it still active?  Do you have
a copy of the paper?

-----Original Message-----
From: Mark Elliott [mailto:marke@cwhost.com]
Sent: Monday, January 22, 2001 9:34 PM
To: FOCUS-IDS@SECURITYFOCUS.COM
Subject: Re: [Q] What could cause these?


Ditto from me.  Personally, I think you should check www.sys-internals.com -
they have an excellent paper on using ICMP to scan networks behind a
firewall. The technique - if it is what (IMHO) I think it is, was introduced
in proof of concept at blackhat - amsterdam last october

Good luck!!

Mark


---------- Original Message ----------------------------------
From: stefmit@IX.NETCOM.COM
Reply-To: stefmit@IX.NETCOM.COM
Date:         Mon, 22 Jan 2001 12:46:48 -0600

	As of last week I started seeing roughly 20-30MB/day of snort
logs for all my DMZ machines, with the following three types of
packets (NOTE: I use private IP addressing scheme for internal
machines):

----------------------- 1st type
-----------------------------------------------------------
------- from DMZ machines to internal machines OR Internet valid IP
addresses ----------------------------

[**] ICMP Unknown Type [**]
01/11-09:13:05.662324 8:0:36:1:2:A8 -> 8:0:20:90:31:78
type:0x800 len:0x5EA
DMZ machine -> random (?!?) IP of internal hosts OR valid routable
IP addresses (random?!?)
ICMP TTL:128 TOS:0x0 ID:19309  DF
ID:48282   Seq:61662  ECHO REPLY
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
and on and on ... until the whole length (0x5EA = 1514 decimal)

---------------------- 2nd type
------------------------------------------------------
----- DMZ machines to internal hosts---------------------------------------

[**] ICMP Unknown Type [**]
01/11-09:43:46.711544 0:E0:29:16:BA:CE -> 8:0:20:90:31:78
type:0x800 len:0x4A
DMZ machine -> internal machines
ICMP TTL:128 TOS:0x0 ID:56701
ID:1   Seq:2  ECHO REPLY
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70
abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69
qrstuvwabcdefghi

--------------------------- 3rd type
---------------------------------------------------
------- DMZ machines to internal name servers --------------------------

[**] ICMP Destination Unreachable (Precedence Cutoff in effect) [**]
01/18-10:49:15.773963 0:D0:B7:44:2A:53 -> 8:0:20:90:31:78
type:0x800 len:0x46
DMZ machines -> internal name servers
ICMP TTL:128 TOS:0x0 ID:31815
DESTINATION UNREACHABLE: PORT UNREACHABLE
00 00 00 00 45 00 00 49 07 2B 00 00 7E 11 EA C0  ....E..I.+..~...
AC 10 04 B5 CD DB CC 17 00 35 08 BD 00 35 60 A2  .........5...5`.

... and I am talking of literally tens of megs of logs of these daily.
Any idea what could cause such a behavior? Anybody familiar with
these? I have looked up the whitehats site, but the only one
mentioned from the above is the middle one, which looks like W2K
problems ?!?

	TIA,
	Stef

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic