[Dshield] ICMP increase

Stephane Grobety security at admin.fulgan.com
Mon Aug 18 13:26:44 GMT 2003


JBU> gould you please pass along a few full packets? (either off or on list)

I only got a few hits (about 6 this afternoon). They are all exactly
similar but comes from different hosts.

I have checked the TTL of several of these packets and they are
inconsistent with what snort logged, leading me to believe the source
of several of these packets have been spoofed.

Good luck,
Stephane

[**] ICMP PING CyberKit 2.2 Windows [**]
08/18-08:09:18.341024 61.81.14.154 -> 194.38.191.75
ICMP TTL:107 TOS:0x0 ID:51145 IpLen:20 DgmLen:92
Type:8  Code:0  ID:768   Seq:32517  ECHO
0x0000: 00 E0 18 1C 67 2F 00 10 79 65 F4 00 08 00 45 00  ....g/..ye....E.
0x0010: 00 5C C7 C9 00 00 6B 01 BA 7A 3D 51 0E 9A C2 26  .\....k..z=Q...&
0x0020: BF 4B 08 00 20 A5 03 00 7F 05 AA AA AA AA AA AA  .K.. ...........
0x0030: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
0x0040: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
0x0050: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
0x0060: AA AA AA AA AA AA AA AA AA AA                    ..........







More information about the list mailing list