Re: Odd windows ICMP... any ideas what this is?
From: Mika Boström (bostik_at_lut.fi)
Date: Mon, 9 Jun 2003 22:52:54 +0300 To: firstname.lastname@example.org
On Mon, 09 Jun 2003, ted klugman wrote:
> Our IDS has been reporting some large ICMP packets on
> our internal network. Our internal network is a
> Windows2000 domain -- servers and clients.
> - Packet size is always 2090 bytes
> - Almost always sent from a client or member server to
> one of the two boxes running Active Directory
> - The ping payload itself is actually a JPEG of the
> Microsoft logo. This JPEG can actually be found inside
> I googled for any details, and I see that others have
> run into this before. However, there were no answers,
> just questions. See these two links for identical
Sorry for the lengthy quote. I remember seeing that debian-security
thread when it appeared. Somewhat further down the thread there was a
third URL given, with not much new information but just unanswered
questions - much like you have noticed.
> Anyone else seen these? Any idea what's causing them?
> Is this 'normal' behavior on a W2K network?
Considering that this is, if somewhat hazily, documented behaviour
one would be tempted to say it is indeed 'normal.'
I'm far from being any kind of authority but I have my personal guess.
Apparently w32 boxes ping their domain controller regularly. Not all of
the packets contain the encapsulated image data, so whoever wrote this,
wanted to behaviour to be at least somewhat inconsistent. My guess is
that the programmer or programmers in question had some extra time and
inserted an easter egg.
If these funny packets are indeed part of license tracking mechanism,
perhaps the combined effort of blocking oversized pings and then
profiling the ICMP traffic immediately afterwards would help to provide
some kind of answer? I can imagine four things happening.
1. Nothing, the packets would be considered lost. (I don't know what
the timeouts for not successfully pinging domain controller might be.)
2. Some kind of log event implicating that these packets are indeed
expected part of the protocol.
3. A resend with a regular ping, which in turn would show that some
extra thought had been used. Quite likely to accommodate normal
network functionality even with stricter traffic policies.
4. A resend with image-ping. This oversized ping is part of the
protocol, or the author(s) for some reason expect a reply to specific
Anyone care to test and document the behaviour? (I don't have access
to network setups where these could be verified.)
-- Mika Boström +358-50-410-9042 \-/ "The Hell is empty, Bostik@lut.fi www.lut.fi/~bostik X and all the devils Security freak, and proud of it. /-\ are here." -W.S.
- application/pgp-signature attachment: stored