[Dshield] icmp w/payload EEEEEEE

lew001@globetrotter.net lew001 at globetrotter.net
Wed Jan 14 17:58:00 GMT 2004


Johannes writes:

> Nothing here. Can you post some complete packets?
> (e.g. using tcpdump -s 1500 -Xa icmp)

At first, I had thought that the EEEEEEs were hex. But maybe not. Here's what
I found in this morning's traces (EEEEEE is ASCII). I don't have previous
days to check unfortunately.

Three packets from each of two sources.

   02:11:43.5242 eth2 rcv:
   ETH 000500E61FA8->00C0A8D00B73 typ=IP
   IP  len=3C id=8D87 ttl=29 prot=ICMP ckSum=B67 200.55.67.196->66.130.170.85
   ICMP typ=echoRq code=0 ckSum=B37
   id=400 seq=9474
   45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE
   45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE

   02:11:44.8931 eth2 rcv:
   ETH 000500E61FA8->00C0A8D00B73 typ=IP
   IP  len=3C id=8D91 ttl=29 prot=ICMP ckSum=B5D 200.55.67.196->66.130.170.85
   ICMP typ=echoRq code=0 ckSum=737
   id=400 seq=9874
   45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE
   45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE

   02:11:47.4361 eth2 rcv:
   ETH 000500E61FA8->00C0A8D00B73 typ=IP
   IP  len=3C id=8DB2 ttl=29 prot=ICMP ckSum=B3C 200.55.67.196->66.130.170.85
   ICMP typ=echoRq code=0 ckSum=F936
   id=400 seq=A674
   45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE
   45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE

   05:27:10.6468 eth2 rcv:
   ETH 000500E61FA8->00C0A8D00B73 typ=IP
   IP  len=3C id=E927 ttl=2D prot=ICMP ckSum=B00B 194.19.69.163->66.130.170.85
   ICMP typ=echoRq code=0 ckSum=27A5
   id=200 seq=7A06
   45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE
   45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE

   05:27:11.9993 eth2 rcv:
   ETH 000500E61FA8->00C0A8D00B73 typ=IP
   IP  len=3C id=E938 ttl=2D prot=ICMP ckSum=AFFA 194.19.69.163->66.130.170.85
   ICMP typ=echoRq code=0 ckSum=1EA5
   id=200 seq=8306
   45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE
   45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE

   05:27:14.0062 eth2 rcv:
   ETH 000500E61FA8->00C0A8D00B73 typ=IP
   IP  len=3C id=E958 ttl=2D prot=ICMP ckSum=AFDA 194.19.69.163->66.130.170.85
   ICMP typ=echoRq code=0 ckSum=12A5
   id=200 seq=8F06
   45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE
   45 45 45 45 45 45 45 45  45 45 45 45 45 45 45 45   EEEEEEEEEEEEEEEE

I don't really remember seeing this kind of stuff before, but maybe
some OSs do use this pattern? Anyway, I'm not seeing many so far.

For comparison, a Nachi/Welchia/whatever packet (quite a few more, still).

      05:42:16.7732 eth2 rcv:
   ETH 000500E61FA8->00C0A8D00B73 typ=IP
   IP  len=5C id=C18A ttl=6E prot=ICMP ckSum=6146 66.133.250.115->66.130.170.85
   ICMP typ=echoRq code=0 ckSum=F9B1
   id=200 seq=A6F8
   AA AA AA AA AA AA AA AA  AA AA AA AA AA AA AA AA   ................
   AA AA AA AA AA AA AA AA  AA AA AA AA AA AA AA AA   ................
   AA AA AA AA AA AA AA AA  AA AA AA AA AA AA AA AA   ................
   AA AA AA AA AA AA AA AA  AA AA AA AA AA AA AA AA   ................

No clue (of course) what these EEEEEE pings mean.

On a different topic, does anyone understand these RST+ACK packets we have
been receiving for some time? I see two variations. Either the packet appears
to originate from 127.0.0.1 or it appears to originate from 67.61.16.236.
>From port 80. To random ports on my firewall.

   2003-12-10 04:09:08 | 67.61.16.236 | 80 | 66.131.183.166 | 1804 | prot=TCP  | code=RST+ACK
   2003-12-15 05:32:58 | 127.0.0.1    | 80 | 66.131.183.166 | 1128 | prot=TCP  | code=RST+ACK

They have been mentioned here a couple of times, but I haven't
seen any explanation yet. I still see these regularly.

A+,
Pierre




More information about the list mailing list