[Dshield] Pings

John Sage jsage at finchhaven.com
Sat Nov 1 17:24:38 GMT 2003


Paul:

This is some help.

Given that you seem to be posting from:

Received: from 209-213-81-107.meganet.net (HELO
  banana-jr-6k.nmefdn.org)
 (209.213.81.107) by 0 with SMTP; 31 Oct 2003 16:24:14 -0000

and that all of these originate from 209.21*.*.* at first I'd say
these are the very common Nachia pings from nearby "neighbors" of
yours, but Nachia pings are larger, see below...

(Not recognizing your log format, I don't know if the "36" represents
total datagram length, or only payload length.)

On Fri, Oct 31, 2003 at 11:23:26AM -0500, Paul Marsh wrote:
> Sorry I'm not capturing anything at this time just noticing the activity
> on my firewall.
> 
> 10/31/2003 11:15:39.944 ICMP packet dropped 209.215.101.134, 8, WAN
> xxx.xxx.xxx.xxx, LAN 'Ping' 36 
> 10/31/2003 11:14:24.464 ICMP packet dropped 209.215.136.220, 8, WAN
> xxx.xxx.xxx.xxx, LAN 'Ping' 36 
> 10/31/2003 11:13:13.384 ICMP packet dropped 209.210.86.66, 8, WAN
> xxx.xxx.xxx.xxx, LAN 'Ping' 36 
> 10/31/2003 11:11:12.336 ICMP packet dropped 209.210.84.72, 8, WAN
> xxx.xxx.xxx.xxx, LAN 'Ping' 36 

Here's a Nachia ping:

10/29-00:14:38.574214 12.80.29.242 -> 12.82.157.166
ICMP TTL:119 TOS:0x0 ID:37607 IpLen:20 DgmLen:92
Type:8  Code:0  ID:1280   Seq:54659  ECHO
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  ................

Take out the IP header length of 20; the ICMP ping "header" of 8, and
you have what's shown here as "AA AA AA..." -- the payload of length
64.


For yours, either take out 20 and 8 and -- what? -- the payload is 12
long for a total datagram length of 36; or, is it the payload that is
36 long, making the entire datagram length of what you're seeing 64?

Can you get any full packet captures?


- John
-- 
"Most people don't type their own logfiles;  but, what do I care?"
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.




More information about the list mailing list