[Dshield] icmp w/payload EEEEEEE

Mrcorp mrcorp at yahoo.com
Wed Jan 14 20:20:44 GMT 2004


Ahh right.  Didnt know the setup that the packets were read from.

It seems Lance S. has commented on this as well.  I tried comparing the packets to the ones he
examined, as well as a google search on the IP address.  He also saw low TTLs.
http://archives.neohapsis.com/archives/sf/honeypots/2001-q4/0054.html

mrcorp

--- Pierre Lewis <lew001 at globetrotter.net> wrote:
> On Wed, Jan 14, 2004 at 11:31:25AM -0800, Mrcorp wrote:
> 
> > Sorry if this has been commeted on, but I noticed the MAC
> > addresses are the same for both groups, yet there are different
> > IP addresses. So obviously some spoofing, which would mean that
> > the response is not required from these pings???
> 
> They should be the same MAC addresses, shouldn't they? One is my
> firewall's MAC address, other is cable router's MAC address.
> 
> > Also a low TTL.
> 
> Indeed, hadn't noticed! And not quite same in the two groups.
> 
> Cheers,
> Pierre
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus




More information about the list mailing list