RE: Please help with this strangeness

• Previous message: Nicholas Diotte: "RE: OWA security"
• In reply to: Michael Thompson: "Please help with this strangeness"
• Next in thread: JGrimshaw_at_ASAP.com: "Re: Please help with this strangeness"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Michael Thompson'" <mike@thompsonmike.co.uk>, <security-basics@securityfocus.com>
Date: Thu, 15 Jan 2004 10:41:26 -0800

  This is a kind of strange address block you've described. Let's try
to clarify that before proceeding to the traffic itself.

  It sounds like you're trying to describe the 81.174.224.68/30 block,
that's with a subnet mask of 255.255.255.252. Blocks this size are
sometimes used for ISP connections to sites that are NATting to internal
addresses at their border.
  Of the four addresses in the block, ONE is usable by the client. The
'all zeros' host address 81.174.224.68 is reserved for the network;
in most cases, it will get treated as a broadcast. The 'all ones' address
is the normal broadcast address, and in this case it's 81.174.224.71.
  That leaves .69 and .70. To be useful as an ISP link, one of those
is going to be assigned to a router at the ISP end of the link. The
other one is going to be available for the client router; the ISP router's
address should be configured as the default gateway on the client router.

  So a key question is: Does this look like what you see? If .69 is
the address of your router, then is its default gateway address pointing
at .70? If not, what *is* it pointing at? Is its subnet mask
255.255.255.252? If not, what is it?
  If these values are different from what I expect, either (a) your ISP
connection follows some different model that would be helpful to
understand, or (b) the traffic may be an artefact of a configuration error.

David Gillett

> -----Original Message-----
> From: Michael Thompson [mailto:mike@thompsonmike.co.uk]
> Sent: January 14, 2004 19:03
> To: security-basics@securityfocus.com
> Subject: Please help with this strangeness
>
>
> Hi Security-basics,
>
>
> I was going through all my security logs today and I noticed something
> a little odd, and wonderd if anyone could offer any insight? I am not
> that good at detailed security!
>
> I have a IPBlock assigned from my ISP, where 81.174.224.68 to
> 81.174.224.70.
>
> As I understand it, 68 is a broadcast address, 69 is assigned to the
> router, 70 is for a server, which I dont use at the present time.
>
> Now, in my snort logs, which is connected to the outside of the
> firewall I get the following logs..
>
> [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
> [Classification: Misc activity] [Priority: 3]
> 01/15-02:49:35.625784 81.174.224.69 -> 81.174.224.70
> ICMP TTL:111 TOS:0xA0 ID:45600 IpLen:20 DgmLen:92
> Type:8 Code:0 ID:512 Seq:52213 ECHO
> [Xref => http://www.whitehats.com/info/IDS154]
>
> [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
> [Classification: Misc activity] [Priority: 3]
> 01/15-02:49:35.641759 81.174.224.69 -> 81.174.224.68
> ICMP TTL:110 TOS:0xA0 ID:45598 IpLen:20 DgmLen:92
> Type:8 Code:0 ID:512 Seq:51701 ECHO
> [Xref => http://www.whitehats.com/info/IDS154]
>
> [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
> [Classification: Misc activity] [Priority: 3]
> 01/15-02:49:35.642071 81.174.224.69 -> 81.174.224.70
> ICMP TTL:110 TOS:0xA0 ID:45600 IpLen:20 DgmLen:92
> Type:8 Code:0 ID:512 Seq:52213 ECHO
> [Xref => http://www.whitehats.com/info/IDS154]
>
> [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
> [Classification: Misc activity] [Priority: 3]
> 01/15-02:49:35.649566 81.174.224.69 -> 81.174.224.71
> ICMP TTL:111 TOS:0xA0 ID:45601 IpLen:20 DgmLen:92
> Type:8 Code:0 ID:512 Seq:52469 ECHO
> [Xref => http://www.whitehats.com/info/IDS154]
>
> [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
> [Classification: Misc activity] [Priority: 3]
> 01/15-02:49:35.665945 81.174.224.69 -> 81.174.224.71
> ICMP TTL:110 TOS:0xA0 ID:45601 IpLen:20 DgmLen:92
> Type:8 Code:0 ID:512 Seq:52469 ECHO
> [Xref => http://www.whitehats.com/info/IDS154]
>
>
> Now, I thought of welchia or one of its many variants, and all
> machines are clean, the DHCP records show only one machine on the
> network connected mostly, thats my machine. It's clean.
>
> What could be causing these broadcasts? Any one have any ideas?
>
> --
>
> Best regards,
> Michael (mike@thompsonmike.co.uk)
>
> Join the American Non-Sequitur Society -- we don't make
> sense, but we do like pizza.
>
> http://www.thompsonmike.co.uk/
> PGP KeyID := 0xA9547E32
>
> 'To see a world in a grain of sand
> And heaven in a wild flower
> To hold infinity in the palm of your hand
> And eternity in an hour'
>
> Using TheBat! Version 2.02.3 CE
> Running On Windows XP (2600, Service Pack 1)
> Sent From OneAndOne
>

---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------

• Previous message: Nicholas Diotte: "RE: OWA security"
• In reply to: Michael Thompson: "Please help with this strangeness"
• Next in thread: JGrimshaw_at_ASAP.com: "Re: Please help with this strangeness"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]