RE: Bizarre traffic

A bad NIC is one of the other possibilities on my list.

I have difficulty imagining a router or switch doing this
*only* to a specific client machine.

David Gillett

-----Original Message-----
From: Brian Rectanus [mailto:brectanu@xxxxxxxxx]
Sent: Friday, February 10, 2006 9:15 PM
To: incidents@xxxxxxxxxxxxxxxxx
Subject: Re: Bizarre traffic

With it cooresponding to network disruptions, similar IPs on
your net and conversations looking normal otherwise, have you
considered it a router/switch corrupting packets? Or even
the a bad NIC in a machine?


On 2/9/06, David Gillett <gillettdavid@xxxxxxxx> wrote:
Does anybody know of anything (malware, hackware, other?)
that would
cause a machine to put out traffic with the first octet of the
destination address (re)set to ZERO?

The traffic I saw all was headed for port 443, and wasn't
decipherable. The variation in packet size looked like a real
conversation, although return packets (if any) weren't passing my
sniffer. The destination addresses, sans the bogus first octet,
looked like addresses of a couple of real internal servers (source
address was internal) -- which, however, do not have HTTPS service

[This traffic correlated with various intermittent disruptions of
our network, which stopped when the source machine dropped off the
network. It later reappeared -- and so did a brief
disruption -- long
enough for me to pinpoint and ban it.]

David Gillett