RE: Strings of 'EEEE' in pings...

From: dlaumann@suntzu.net
Date: 01/26/02 

From: dlaumann@suntzu.net
To: incidents@securityfocus.com
Date: Fri, 25 Jan 2002 17:21:20 -0600

> 01/25-18:05:09.399334 8:0:20:9E:ED:B3 -> 0:10:F6:8E:A0:0 type:0x800
> len:0x4A
> (INTERNAL) -> (EXTERNAL) ICMP TTL:62 TOS:0x0 ID:43296 IpLen:20
> DgmLen:60
> Type:8 Code:0 ID:1 Seq:9 ECHO
> 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE
> 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+=+
>
> 01/25-18:05:09.419335 0:10:F6:8E:A0:0 -> 8:0:20:9E:ED:B3 type:0x800
> len:0x4A
> (EXTERNAL) -> (INTERNAL) ICMP TTL:113 TOS:0x0 ID:44568 IpLen:20
> DgmLen:60
> Type:0 Code:0 ID:1 Seq:9 ECHO REPLY
> 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE
> 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 EEEEEEEEEEEEEEEE
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+=+
>
> Yes it's a ping echo/reply pair, but why the string of EE's?
>
> I could recreate this slightly using 'ping -p 45 host' from another
> system,
> but it was still slightly different at the front...
>
> Can anyone explain this, or what might be generating this traffic?
>
> The internal host in question appears to be a Windows machine, but
> we'll only be able to investigate properly after the weekend.

what makes you think the internal host is windows? the icmp echo request
ttl, the icmp id, and the icmp sequence for the internal host are _not_
consistent with unmodified windows ip stacks. it would be helpful if you
posted a few more echo request/reply pairs to the list for further analysis.

-dave

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com