[Dshield] Possible Bot?

Chris Brenton cbrenton at chrisbrenton.org
Mon May 12 14:14:13 GMT 2008


On Sat, 2008-05-10 at 22:48 +0800, Tony Raboza wrote:
>
> 18:00:02.788023 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> request, id 4, seq 59931, length 1480
> 18:00:02.788030 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
> 18:00:02.798828 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> request, id 4, seq 60187, length 1480
> 18:00:02.798841 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
> 18:00:02.809534 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
> request, id 4, seq 60443, length 1480

The echo requests are kind of interesting. The +256 increment of the
echo sequence number is indicative of a Windows system running Ping, but
the packet size and IP ID values are not. The consistent IP ID value
troubles me as it hints that the OS is not directly involved with the
generation of these packets (all versions of Windows increment the IP ID
by +1).

Any chance of checking to see if DF is set? When I've seen similar
traces to this in the past it's turned out to be brain dead PMTU. DF
being set is usually the tip off.

If it was me I would run a real sniffer to grab some additional info.
The lines which do not identify the icmp type/code being used are not
very helpful. Also, it would also be cool to get a look at the payload.
Is it ciphertext? If so I would be afraid. ;-)

HTH,
C




More information about the list mailing list