[Dshield] Request for Information re: Linksys Router Logging

Jeff Kell jeff-kell at utc.edu
Fri Oct 17 14:10:13 GMT 2003


John Holmblad wrote:

> Mark,
> 
> you are absolutely right regarding potential  threats from the inside 
> the firewall as a result of trojans, etc.
> 
> Interestingly, I am working with AOL right now on an anomaly that my 
> Linksys router detected as having the signature of a "smurf" attack 
> coming from my network headed toward the Internet. This anomaly started 
> about two months ago. Until a few weeks ago ( when I rediscovered 
> Netscape Navigator/Communicator after the disaster of V6.X and its 
> useful "dovetailing" with the AOL email service) I have used the AOL 
> "fat client" for email.  What seems to be happening is that the AOL "fat 
> client" protocol is sending  ICMP echo request packets from the AOL 
> server to my whichever PC I am using  which are embedded as data in the 
> TCP connection that is set up between my computer and the AOL service. 
> These ICMP echo request packets are addressed to the IP address served 
> to  the virtual adapter that AOL sets up on my PC when the TCP 
> connection to the AOL service is initiated. I can see the virtual 
> adapter via the ipconfig command  and the additional routing table 
> entries via the route command. Furthermore, when I check the source 
> address taken from the embedded ICMP echo request packets, using 
> visualtrace, I find that the IP addresses are from AOL's address space. 
> I would add that although I have never really studied the AOL service 
> protocol it is reasonable to assume it is some sort of encapsulating VPN 
> like protocol since it seems to jam everything over one TCP session.

Had precisely the same problem here, except the AOL "leakage" was being 
flagged as spoofed address packets (they really get sent out with a 
source IP usually in AOL space, sometimes in reserved windows 169.254 
space.  There is an NTP request, followed by pings (to AOL targets 
usually, and more often than not their adware servers).

Yes, it is the "fat" AOL client and it stinks to high heaven leaking 
spoofed packets like that.

Jeff




More information about the list mailing list