Re: Please help with this strangeness

• Previous message: Depp, Dennis M.: "RE: Windows Remote Desktop"
• In reply to: Michael Thompson: "Please help with this strangeness"
• Next in thread: Michael Thompson: "Re: **SPAM** Re: Please help with this strangeness"
• Reply: Michael Thompson: "Re: **SPAM** Re: Please help with this strangeness"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Michael Thompson <mike@thompsonmike.co.uk>
Date: Thu, 15 Jan 2004 12:31:14 -0600

Hi Michael,

I do not believe you have it quite right on the addressing description.

There would have to be four addresses--maybe a /30. It is unlikely you
were assigned just three addresses--at least, I have never seen it happen.

Perhaps your IP addressing is 81.174.224.68-71 /30?

You would then have the following:

.68 subnet address
.69 assignable
.70 assignable
.71 broadcast.

.72 could begin a new block of /30 addresses with .72 being the broadcast
belonging to someone else. (Hey, I am only guessing based on what you
suggested). Likewise, the block before you would start with 64 and end
with 67.

It would seem that if .69 is sending out these pings, which you say is the
router.

There would appear to be something else going on, so I am guessing you
have private addresses internally and they are being NATed? How is the
router connected? I do not understand how the IP address of the router is
connecting to anything other than a point-to-point (if my /30 suggestion
is true, which it probably is not) with another IP in the same range. You
have said the .70 is associated with another server that is not in use, so
my guess is that the router is not connected to it. So I am not sure what
to think about that--can you provide more details? Make up numbers if you
like, or use x.x.x.x and depict subnets.

If the router has this .69 address, I would expect then that everyone is
being NATed to use that address to access the internet? Are you using NAT
overload?
If this is the case, you may wish to sniff the internal segment and see
where the ICMPs are coming from--having an IDS on the outside will not
determine the internal source IP address, just the NATed one.

Michael Thompson <mike@thompsonmike.co.uk>
01/14/2004 09:03 PM
Please respond to
Michael Thompson <mike@thompsonmike.co.uk>

To

cc

Subject
Please help with this strangeness

Hi Security-basics,

I was going through all my security logs today and I noticed something
a little odd, and wonderd if anyone could offer any insight? I am not
that good at detailed security!

I have a IPBlock assigned from my ISP, where 81.174.224.68 to
81.174.224.70.

As I understand it, 68 is a broadcast address, 69 is assigned to the
router, 70 is for a server, which I dont use at the present time.

Now, in my snort logs, which is connected to the outside of the
firewall I get the following logs..

[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
01/15-02:49:35.625784 81.174.224.69 -> 81.174.224.70
ICMP TTL:111 TOS:0xA0 ID:45600 IpLen:20 DgmLen:92
Type:8 Code:0 ID:512 Seq:52213 ECHO
[Xref => http://www.whitehats.com/info/IDS154]

[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
01/15-02:49:35.641759 81.174.224.69 -> 81.174.224.68
ICMP TTL:110 TOS:0xA0 ID:45598 IpLen:20 DgmLen:92
Type:8 Code:0 ID:512 Seq:51701 ECHO
[Xref => http://www.whitehats.com/info/IDS154]

[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
01/15-02:49:35.642071 81.174.224.69 -> 81.174.224.70
ICMP TTL:110 TOS:0xA0 ID:45600 IpLen:20 DgmLen:92
Type:8 Code:0 ID:512 Seq:52213 ECHO
[Xref => http://www.whitehats.com/info/IDS154]

[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
01/15-02:49:35.649566 81.174.224.69 -> 81.174.224.71
ICMP TTL:111 TOS:0xA0 ID:45601 IpLen:20 DgmLen:92
Type:8 Code:0 ID:512 Seq:52469 ECHO
[Xref => http://www.whitehats.com/info/IDS154]

[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
01/15-02:49:35.665945 81.174.224.69 -> 81.174.224.71
ICMP TTL:110 TOS:0xA0 ID:45601 IpLen:20 DgmLen:92
Type:8 Code:0 ID:512 Seq:52469 ECHO
[Xref => http://www.whitehats.com/info/IDS154]

Now, I thought of welchia or one of its many variants, and all
machines are clean, the DHCP records show only one machine on the
network connected mostly, thats my machine. It's clean.

What could be causing these broadcasts? Any one have any ideas?

-- 
Best regards,
 Michael (mike@thompsonmike.co.uk)
 
Join the American Non-Sequitur Society -- we don't make sense, but we do 
like pizza. 
http://www.thompsonmike.co.uk/
PGP KeyID := 0xA9547E32
'To see a world in a grain of sand
And heaven in a wild flower
To hold infinity in the palm of your hand
And eternity in an hour'
Using TheBat! Version 2.02.3 CE
Running On Windows XP (2600, Service Pack 1)
Sent From OneAndOne

---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------

• application/octet-stream attachment: attbtkmd.dat

• Previous message: Depp, Dennis M.: "RE: Windows Remote Desktop"
• In reply to: Michael Thompson: "Please help with this strangeness"
• Next in thread: Michael Thompson: "Re: **SPAM** Re: Please help with this strangeness"
• Reply: Michael Thompson: "Re: **SPAM** Re: Please help with this strangeness"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]