RE: Misc Large ICMP Packets(snort)

From: John Coke (jcoke@ibeam.com)
Date: 10/11/01 

Message-ID: <13CFD9ED17AAD411982B00D0B76DFB8AAE81C1@WHEAT>
From: John Coke <jcoke@ibeam.com>
To: "'whass@dhp.com'" <whass@dhp.com>, focus-ids@securityfocus.com
Subject: RE: Misc Large ICMP Packets(snort)
Date: Thu, 11 Oct 2001 06:34:16 -0700

From :
http://www.sans.org/y2k/072500-1200.htm

<---Quote--->
From: Erik Carus
Sent: Monday, July 24, 2000 7:14 AM
Subject: Re: False positive on TFN?

Hello everybody, I'm beginning to see the light concerning the TFN triggers
noticed by our RS engine. At first, I captured the packets triggering the
TFN events: there is one echo request packet coming from 63.210.241.4 with
an ICMP id of 123 and the message "mailto:ops@digisle.com..." as data
payload. This packet is replied to with an echo reply packet which triggers
the RS alarm. So that's a false positive, because TFN uses only echo reply
packets for communication between clients and daemons. Then, here is a
little summary of the answers I got from several issforum list members:

*** at first, there were several people who told me they saw the same
packets or similar ones.

*** one of you sent me the definitive answer he got from Digital Island (->
digisle.com), and here it is:

----------------------------- EMAIL FROM DIGISLE.NET
FOLLOWS------------------------

We apologize for any inconvenience caused by pings (ICMP_ECHO packets)
coming from our machines. Your server was being ping'ed as part of our
real-time "network weather" mapping system called BDS. BDS is an essential
part of Footprint, Digital Island's intelligent network service offering. It
is used to optimize performance when your customers access the web resources
of our customers. Our Footprint service is used by many large web
publishers, such as AOL, CNBC, Blue Mountain, Adforce and many others, to
speed up the delivery of their web content. Our system intelligently matches
browsers to the servers on our Footprint network which will provide the best
performance. The dynamic nature of routing and congestion on the Internet
make it necessary for us to constantly update our maps. Our network was
pinging your system because your system appeared to be a name server and had
made a sufficient number of resolution requests for our customer web sites
to be placed on the list of network nodes to be constantly observed for
Internet congestion. By pinging your name server we can provide better
quality of service to your users when they access the web sites of our
expanding customer list. We hope you will consider granting us permission to
continue pinging a name server in your domain as it will benefit your users.
Sandpiper Networks merged with Digital Island in Dec 1999, which is why some
of the machines pinging you were in digisle.net. At this point you can:

1) Do nothing. Please accept our apologies and be assured that your machines
are not being pinged by a hostile party.

2) Tell us if there is a name server in your IP address space that you would
like us to ping. We will then direct future ping traffic to it.

3) Respond to this message requesting the we stop pinging your server. In
this event our pinging will cease in several days.

Regards,
Michael Roberts Digital Island Inc.

About Digital Island: Digital Island company's suite of application services
for interactive e-Business allows customers and partners to readily
integrate content delivery, hosting and intelligent networking to give the
ultimate consumer a superior experience.

Strategically located Data Centers in the United States, Europe and Asia are
directly connected to leading access service providers in 23 countries. In
addition, Digital Island operates a network of more than 1,200 content
distributors across the Internet, which improves the performance and reduces
the cost of hosting high-volume Web applications in target markets. This
network is expected to grow to more than 6,000 content distributors in 350
locations worldwide by the year 2003. Digital Island is headquartered in San
Francisco.
</---End Quote--->

Regards,
John Coke
PGP fingerprint: A8D1 4CBD 88CF 1B37 8008 2F79 3081 2108 8F45 E846
PGP key ID 0x8F45E846 (pgp.mit.edu)

> -----Original Message-----
> From: whass@dhp.com [mailto:whass@dhp.com]
> Sent: Wednesday, October 10, 2001 7:45 AM
> To: focus-ids@securityfocus.com
> Cc: whass@networkthinking.com
> Subject: Misc Large ICMP Packets(snort)
>
>
> Hello,
> Our snort log has been kicking these out for a couple of
> days. I get about 300 a day from misc addresses spread all
> over the Internet. The packed says to respond to
> ops@digisle.com, but of course I get no response. Is this a
> false positive of some kind? I thought at first is
> monitoring software but I'm getting so many that I'm starting
> to wonder.
>
> Thanks in advance.
>
> Wally Hass
>
> [**] MISC Large ICMP Packet [**]
> 10/10-03:04:34.984262 216.44.45.4 -> 216.217.xx.x
> ICMP TTL:239 TOS:0x0 ID:25401 IpLen:20 DgmLen:1020 DF
> Type:8 Code:0 ID:22272 Seq:22752 ECHO
> 6D 61 69 6C 74 6F 3A 6F 70 73 40 64 69 67 69 73 mailto:ops@digis
> 6C 65 2E 63 6F 6D 20 66 6F 72 20 71 75 65 73 74 le.com for quest
> 69 6F 6E 73 20 20 20 20 54 68 69 73 20 49 43 4D ions This ICM
> 50 20 45 43 48 4F 20 52 45 51 55 45 53 54 2F 52 P ECHO REQUEST/R
> 45 50 4C 59 20 69 73 20 70 61 72 74 20 6F 66 20 EPLY is part of
> 74 68 65 20 72 65 61 6C 2D 74 69 6D 65 20 6E 65 the real-time ne
> 74 77 6F 72 6B 20 6D 6F 6E 69 74 6F 72 69 6E 67 twork monitoring
> 70 65 72 66 6F 72 6D 65 64 20 62 79 20 44 69 67 performed by Dig
> 69 74 61 6C 20 49 73 6C 61 6E 64 20 49 6E 63 2E ital Island Inc.
> 20 20 49 74 20 69 73 20 6E 6F 74 20 61 6E 20 61 It is not an a
> 74 74 61 63 6B 2E 20 20 49 66 20 79 6F 75 20 68 ttack. If you h
> 61 76 65 71 75 65 73 74 69 6F 6E 73 20 70 6C 65 avequestions ple
> 61 73 65 20 63 6F 6E 74 61 63 74 20 6F 70 73 40 ase contact ops@
> 64 69 67 69 73 6C 65 2E 63 6F 6D 00 00 00 00 00 digisle.com.....
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>
>

Quantcast