[unisog] Wierd ICMP traffic

Michael Assels mjassels at cs.concordia.ca
Fri Nov 14 02:26:15 GMT 2003


On Thu, 13 Nov 2003 16:40:11 EST, 
Ryan Nobrega <nobregar2 at southernct.edu> wrote:

> We are seeing a lot of icmp traffic coming from the majority of our
> resnet users destined to the following netblocks; 130.244.x.x,
> 244.152.x.x, 202.232.x.x, and 202.139.x.x.  Is anyone else seeing this
  ^^^
Should be 204

> or does anyone have a clue to what might be causing this?  Any help is
> appreciated.

Yes, we started to notice these when we began to block and log
92-byte ICMP echo requests.  Curiously, the packets always had
TTL of 1, 2, 3 or 4.

This turns out to be a Kazaa node trying to determine which 
part of the world it lives in.  The four netblocks represent four
continents:

130.244.x.x: Sweden
202.139.x.x: Australia
202.232.x.x: Japan
204.152.x.x: U.S.A.

By picking a small TTL, Kazaa ensures that it only gets an answer
from a relatively near neighbour.

See http://www.goldenpi.no-ip.org/drm/KazaaFileFormats.html

-- 
Michael Assels                    Manager, Network/Systems/Security
Department of Computer Science    Concordia University, Montreal



More information about the unisog mailing list