[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?)
From:       "Stephen P. Berry" <spb () MESHUGGENEH ! NET>
Date:       2001-02-24 5:13:59
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I wrote:

>The interesting thing isn't that they're pinging but rather:
>	-A whole bunch of clients appear to creat echo requests
>	 with the same ICMP ID (decimal 666)[-]
>	-Not all clients (or even the majority of them[-]) exhibit
>	 this behaviour

It appears that beta versions of the Macintosh Napster client produce
the described behaviour.  In particular, I've traced back traffic
matching this signature to machines running 1.0 beta 1.  On the wire,
the client appears to identify itself as `MacNap 1.0'.

Example of a matching ICMP packet:

	10:58:53.046737 1.1.1.60 > 2.2.2.18: icmp: echo request (DF)
		4500 0020 62e5 4000 ff01 4eaf 0101 013c
		0202 0212 0800 76e6 029a 0001 3f3f 3f3f
		5555 5555 5555 5555 5555 5555 5555

Someone check me on this, and see if they can reproduce it.






- -Steve


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6l0MOG3kIaxeRZl8RAu2RAKCOPXJpcZXZMZQDsEzy29O8MI6zrwCgpBQc
KTYsFD+Cb7uyYi/+FnSMEPs=
=7tMu
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]