OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: 85.85.85.85 weirdness
From: Wozz (wozz+incidentsWOOKIE.NET)
Date: Tue Jul 18 2000 - 20:37:49 CDT

Anyone have any idea what I might be seeing here? I just turned up an NFR
probe at Exodus in DC, and I'm seeing all sorts of traffic as follows

NFR: dc-probefe
Source: 85.85.85.85
Destination: 85.85.85.85
Type of attack: Land
Protocol: 1
Src Port: 0
DST Port: 0
ICMP Type: 85
ICMP Code: 85
Packet:

E\\x00\\x008\\x80\\x1e\\x00\\x00\\x01\\x01UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Count: 1

I also get occasional variations as follows

NFR: dc-probefe
Source: 85.85.85.85
Destination: 85.85.85.85
Type of attack: Land
Protocol: 6
Src Port: 21845
DST Port: 21845
ICMP Type: 0
ICMP Code: 0
Packet:

E\\x00\\x02`\\xc6\\x01\\x00\\xff\\x06\\xd7\\xf6UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Count: 1

and

NFR: dc-probefe
Source: 85.85.85.85
Destination: 85.85.85.85
Type of attack: Land
Protocol: 17
Src Port: 21845
DST Port: 21845
ICMP Type: 0
ICMP Code: 0
Packet:

E\\x00\\x00""\\xe1\\xd3\\x00\\x00\\x11\\x12UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Count: 1

My probe is sitting in front of my firewall box, and when I do a tcpdump on
my firewall searching for any of these packets, nothing comes up. The only
thing I can figure is that this is some sort of weird packet thats being
misinterpreted by NFR. Perhaps some sort of ethernet broadcast being used
by Exodus's Foundry VLAN's?

Just curious if anyone else has seen anything like this on an NFR system or
otherwise.