[Dshield] ICMP increase - LOGS

John Sage jsage at finchhaven.com
Mon Aug 18 15:54:01 GMT 2003


Here's what I've seen since about 11:45am PDT 08/17/03, snipped, with
commentary. Executive summary: two of the apparent ICMP PING CyberKit
2.2 Windows variety; everything else is pretty "normal"...

Bring the intersting stuff up to the top:

Here's one:
#
I 2003/08/18 03:30:29.014782 12.80.5.131 -> 12.82.158.246 8:0
  02 00 56 9a aa aa aa aa    aa aa aa aa aa aa aa aa    ..V.............
  aa aa aa aa aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa                                           ....            

What's this?
#
I 2003/08/18 04:49:23.227658 141.152.34.27 -> 12.82.158.246 8:0
  03 00 fe 1e 00 75 42 89    24 66 4f 80 b4 76 42 89    .....uB.$fO..vB.
  48 75 42 89 1f c5 61 80    20 c0 ac 88 48 75 42 89    HuB...a. ...HuB.
  00 50 df 7f                                           .P..            

and another:
#
I 2003/08/18 04:59:34.740036 12.80.5.131 -> 12.82.158.246 8:0
  02 00 9b 8b aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa                                           ....            


On Mon, Aug 18, 2003 at 07:57:35AM -0400, Johannes B. Ullrich wrote:
> This message was converted from multipart/signed to ascii armored
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Content-Type: text/plain
> Content-Transfer-Encoding: quoted-printable
> 
> 
> Over the last few hours, we detected a remarkable increase in ICMP
> traffic. So far I have no idea what this is about. Any insight is
> appreciated.
> 
> (ICMP shows up as 'port 0' in our protocol ignorant graphs. I will try
> and pull some protocol specific data)
> 
> http://www.dshield.org/port_report.php?port=0&recax=1&tarax=1&srcax=2&percent=N&days=1


input: snort.log-Aug.18.07:43
filter: ip and ( icmp )

TTL's exceeded:
#
I 2003/08/17 11:47:38.994648 165.238.140.49 -> 12.82.158.246 11:0
  00 00 00 00 45 00 00 30    00 00 40 00 01 06 15 b1    ....E..0.. at .....
  0c 52 9e f6 0c 52 ac 7d    00 87 08 dd 4b d5 75 1b    .R...R.}....K.u.
#
I 2003/08/17 11:49:03.953309 165.238.140.49 -> 12.82.158.246 11:0
  00 00 00 00 45 00 00 30    00 00 40 00 01 06 13 bb    ....E..0.. at .....
  0c 52 9e f6 0c 52 ae 73    00 87 05 23 51 69 ee 2b    .R...R.s...#Qi.+
#
I 2003/08/17 12:45:49.850707 165.238.140.17 -> 12.82.158.246 11:0
  00 00 00 00 45 00 00 30    00 00 40 00 01 06 25 4a    ....E..0.. at ...%J
  0c 52 9e f6 0c 52 9c e4    00 87 05 82 2e f7 4e 82    .R...R........N.
#
I 2003/08/17 12:45:52.791005 165.238.140.17 -> 12.82.158.246 11:0
  00 00 00 00 45 00 00 30    00 00 40 00 01 06 25 4a    ....E..0.. at ...%J
  0c 52 9e f6 0c 52 9c e4    00 87 05 82 2e f7 4e 82    .R...R........N.
#
I 2003/08/17 12:46:00.061765 165.238.140.17 -> 12.82.158.246 11:0
  00 00 00 00 45 00 00 30    00 00 40 00 01 06 25 4a    ....E..0.. at ...%J
  0c 52 9e f6 0c 52 9c e4    00 87 05 82 2e f7 4e 82    .R...R........N.

Port unreachable..
#
I 2003/08/17 12:56:58.538913 207.217.126.11 -> 12.82.158.246 3:3
  00 00 00 00 45 00 00 55    00 00 40 00 35 11 4c 6b    ....E..U.. at .5.Lk
  0c 52 9e f6 cf d9 7e 0b    0a 60 00 35 00 41 30 06    .R....~..`.5.A0.
  bc 26 00 10 00 01 00 00    00 00 00 01 03 32 32 30    .&...........220
  03 31 32 31 03 32 31 37    03 32 30 37 07 69 6e 2d    .121.217.207.in-
  61 64 64 72 04 61 72 70    61 00 00 0c 00 01 00 00    addr.arpa.......
  29 08 00 00 00 80 00 00                               ).......        

ditto..
#
I 2003/08/17 14:05:37.299021 210.107.128.32 -> 12.82.158.246 3:3
  00 00 00 00 45 00 00 42    00 00 40 00 2c 11 50 d7    ....E..B.. at .,.P.
  0c 52 9e f6 d2 6b 80 20    0a 60 00 35 00 2e 9f 85    .R...k. .`.5....
  95 b3 00 10 00 01 00 00    00 00 00 01 03 69 63 75    .............icu
  02 61 63 02 6b 72 00 00    01 00 01 00 00 29 08 00    .ac.kr.......)..
  00 00 80 00 00 00                                     ......          

zzz..
#
I 2003/08/17 14:56:39.401348 165.238.140.17 -> 12.82.158.246 11:0
  00 00 00 00 45 00 00 30    00 00 40 00 01 06 24 46    ....E..0.. at ...$F
  0c 52 9e f6 0c 52 9d e8    00 87 04 0b 1b 9b e7 c3    .R...R..........

port unreachable..
#
I 2003/08/17 15:09:34.150375 216.183.28.52 -> 12.82.158.246 3:3
  00 00 00 00 45 00 00 50    00 00 40 00 31 11 a9 69    ....E..P.. at .1..i
  0c 52 9e f6 d8 b7 1c 34    0a 60 00 35 00 3c ea 63    .R.....4.`.5.<.c
  50 bf 00 10 00 01 00 00    00 00 00 01 0b 6c 62 2d    P............lb-
  31 2d 70 75 62 6c 69 63    07 61 64 2d 66 6c 6f 77    1-public.ad-flow
  03 63 6f 6d 00 00 01 00    01 00 00 29 08 00 00 00    .com.......)....
  80 00 00 00                                           ....            

Speedera pings:
#
I 2003/08/17 15:12:21.287442 65.203.232.2 -> 12.82.158.246 8:0
  21 59 71 61 08 09 0a 0b    0c 0d 0e 0f 10 11 12 13    !Yqa............
  14 15 16 17 18 19 1a 1b    1c 1d 1e 1f 20 21 22 23    ............ !"#
  24 25 26 27 28 29 2a 2b    2c 2d 2e 2f 30 31 32 33    $%&'()*+,-./0123
  34 35 36 37 38 39 3a 3b    3c 3d 3e 3f                456789:;<=>?    
#
<snip>
#
I 2003/08/17 15:12:32.028536 211.13.227.66 -> 12.82.158.246 8:0
  b2 01 fb 06 08 09 0a 0b    0c 0d 0e 0f 10 11 12 13    ................
  14 15 16 17 18 19 1a 1b    1c 1d 1e 1f 20 21 22 23    ............ !"#
  24 25 26 27 28 29 2a 2b    2c 2d 2e 2f 30 31 32 33    $%&'()*+,-./0123
  34 35 36 37 38 39 3a 3b    3c 3d 3e 3f                456789:;<=>?    

TTL exceeded:
#
I 2003/08/17 19:10:07.952620 165.238.140.17 -> 12.82.158.246 11:0
  00 00 00 00 45 00 00 30    00 00 40 00 01 06 25 6d    ....E..0.. at ...%m
  0c 52 9e f6 0c 52 9c c1    00 87 12 e6 d3 02 cb c9    .R...R..........

port unreachable:
#
I 2003/08/17 20:08:20.068821 207.217.126.11 -> 12.82.158.246 3:3
  00 00 00 00 45 00 00 46    00 00 40 00 35 11 4c 7a    ....E..F.. at .5.Lz
  0c 52 9e f6 cf d9 7e 0b    0a 60 00 35 00 32 fc d1    .R....~..`.5.2..
  28 bd 00 10 00 01 00 00    00 00 00 01 09 6e 6f 74    (............not
  6d 79 64 65 73 6b 03 63    6f 6d 00 00 1c 00 01 00    mydesk.com......
  00 29 08 00 00 00 80 00    00 00                      .)........      

TTL exceeded:
#
I 2003/08/17 20:17:11.723043 165.238.140.1 -> 12.82.158.246 11:0
  00 00 00 00 45 00 00 30    00 00 40 00 01 06 30 fe    ....E..0.. at ...0.
  0c 52 9e f6 0c 52 91 30    00 87 11 f6 d5 e4 5e 3b    .R...R.0......^;

1500 byte ping:
#
I 2003/08/17 21:21:21.515817 193.120.130.210 -> 12.82.158.246 8:0
  9a bc de f0 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
<snip>
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00                                           ....            

hello ping:
#
I 2003/08/17 21:54:11.556694 24.129.188.114 -> 12.82.158.246 8:0
  02 00 06 52 68 65 6c 6c    6f 20 3f 3f 3f             ...Rhello ???   

TTL exceeded:
#
I 2003/08/17 22:01:01.708501 165.238.140.17 -> 12.82.158.246 11:0
  00 00 00 00 45 00 00 30    00 00 40 00 01 06 25 2c    ....E..0.. at ...%,
  0c 52 9e f6 0c 52 9d 02    00 87 12 3b 5f 1d 76 c5    .R...R.....;_.v.

ditto:
#
I 2003/08/17 22:34:25.862928 165.238.140.17 -> 12.82.158.246 11:0
  00 00 00 00 45 00 00 30    00 00 40 00 01 06 22 d5    ....E..0.. at ...".
  0c 52 9e f6 0c 52 9f 59    00 87 05 a7 d7 f5 b4 79    .R...R.Y.......y

Here's one:
#
I 2003/08/18 03:30:29.014782 12.80.5.131 -> 12.82.158.246 8:0
  02 00 56 9a aa aa aa aa    aa aa aa aa aa aa aa aa    ..V.............
  aa aa aa aa aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa                                           ....            


What's this?
#
I 2003/08/18 04:49:23.227658 141.152.34.27 -> 12.82.158.246 8:0
  03 00 fe 1e 00 75 42 89    24 66 4f 80 b4 76 42 89    .....uB.$fO..vB.
  48 75 42 89 1f c5 61 80    20 c0 ac 88 48 75 42 89    HuB...a. ...HuB.
  00 50 df 7f                                           .P..            

and another:
#
I 2003/08/18 04:59:34.740036 12.80.5.131 -> 12.82.158.246 8:0
  02 00 9b 8b aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa aa aa aa aa    aa aa aa aa aa aa aa aa    ................
  aa aa aa aa                                           ....            

Speedera pings:
#
I 2003/08/18 06:12:53.428707 204.176.88.5 -> 12.82.158.246 8:0
  39 64 fd 99 08 09 0a 0b    0c 0d 0e 0f 10 11 12 13    9d..............
  14 15 16 17 18 19 1a 1b    1c 1d 1e 1f 20 21 22 23    ............ !"#
  24 25 26 27 28 29 2a 2b    2c 2d 2e 2f 30 31 32 33    $%&'()*+,-./0123
  34 35 36 37 38 39 3a 3b    3c 3d 3e 3f                456789:;<=>?    
#
<snip>

1500 byte ping:
#
I 2003/08/18 07:33:06.979767 63.73.131.14 -> 12.82.158.246 8:0
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
<snip>
  00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
  00 00 00 00                                           ....            
exit




- John
-- 
"Warning: time of day goes back, taking countermeasures."




More information about the list mailing list