RE: Please help with this strangeness
From: Shawn Jackson (sjackson_at_horizonusa.com)
Date: 01/15/04
- Previous message: Shawn Jackson: "RE: Windows Remote Desktop"
- Maybe in reply to: Michael Thompson: "Please help with this strangeness"
- Next in thread: Michael Thompson: "Re[2]: Please help with this strangeness"
- Reply: Michael Thompson: "Re[2]: Please help with this strangeness"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 15 Jan 2004 13:17:43 -0800 To: "Michael Thompson" <mike@thompsonmike.co.uk>, <security-basics@securityfocus.com>
That is weird networking! Usually ISP's assign a '30 block' to
people using NAT, in which case you only have one usable networking
address. The broadcast address lives at the 'top' of the block, so it
would not be 68. Maybe your assignment looks like:
68 -> Network Address
69 -> ISP Router
70 -> Your NAT/Firewall
71 -> Broadcast Address
Can you give more specifics on the address/networking details? From the
logs it looks like the ISP router is a little chatty and might be
configured that way. That's assuming that 69 is your ISP router. If 69
is a host, they could be keep-alive packets. They are TCP Type 8, which
is an Echo (TCP PING).
Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
Email: sjackson@horizonusa.com
Phone: (775) 858-2338
(800) 325-1199 x338
-----Original Message-----
From: Michael Thompson [mailto:mike@thompsonmike.co.uk]
Sent: Wednesday, January 14, 2004 7:03 PM
To: security-basics@securityfocus.com
Subject: Please help with this strangeness
Hi Security-basics,
I was going through all my security logs today and I noticed something
a little odd, and wonderd if anyone could offer any insight? I am not
that good at detailed security!
I have a IPBlock assigned from my ISP, where 81.174.224.68 to
81.174.224.70.
As I understand it, 68 is a broadcast address, 69 is assigned to the
router, 70 is for a server, which I dont use at the present time.
Now, in my snort logs, which is connected to the outside of the
firewall I get the following logs..
[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
01/15-02:49:35.625784 81.174.224.69 -> 81.174.224.70
ICMP TTL:111 TOS:0xA0 ID:45600 IpLen:20 DgmLen:92
Type:8 Code:0 ID:512 Seq:52213 ECHO
[Xref => http://www.whitehats.com/info/IDS154]
[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
01/15-02:49:35.641759 81.174.224.69 -> 81.174.224.68
ICMP TTL:110 TOS:0xA0 ID:45598 IpLen:20 DgmLen:92
Type:8 Code:0 ID:512 Seq:51701 ECHO
[Xref => http://www.whitehats.com/info/IDS154]
[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
01/15-02:49:35.642071 81.174.224.69 -> 81.174.224.70
ICMP TTL:110 TOS:0xA0 ID:45600 IpLen:20 DgmLen:92
Type:8 Code:0 ID:512 Seq:52213 ECHO
[Xref => http://www.whitehats.com/info/IDS154]
[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
01/15-02:49:35.649566 81.174.224.69 -> 81.174.224.71
ICMP TTL:111 TOS:0xA0 ID:45601 IpLen:20 DgmLen:92
Type:8 Code:0 ID:512 Seq:52469 ECHO
[Xref => http://www.whitehats.com/info/IDS154]
[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
01/15-02:49:35.665945 81.174.224.69 -> 81.174.224.71
ICMP TTL:110 TOS:0xA0 ID:45601 IpLen:20 DgmLen:92
Type:8 Code:0 ID:512 Seq:52469 ECHO
[Xref => http://www.whitehats.com/info/IDS154]
Now, I thought of welchia or one of its many variants, and all
machines are clean, the DHCP records show only one machine on the
network connected mostly, thats my machine. It's clean.
What could be causing these broadcasts? Any one have any ideas?
-- Best regards, Michael (mike@thompsonmike.co.uk) Join the American Non-Sequitur Society -- we don't make sense, but we do like pizza. http://www.thompsonmike.co.uk/ PGP KeyID := 0xA9547E32 'To see a world in a grain of sand And heaven in a wild flower To hold infinity in the palm of your hand And eternity in an hour' Using TheBat! Version 2.02.3 CE Running On Windows XP (2600, Service Pack 1) Sent From OneAndOne --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
- Previous message: Shawn Jackson: "RE: Windows Remote Desktop"
- Maybe in reply to: Michael Thompson: "Please help with this strangeness"
- Next in thread: Michael Thompson: "Re[2]: Please help with this strangeness"
- Reply: Michael Thompson: "Re[2]: Please help with this strangeness"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
