OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: 85.85.85.85 weirdness
From: Jud (jmainNFR.NET)
Date: Wed Jul 19 2000 - 12:38:29 CDT

To our best knowledge, some Xircom PCMCIA cards and
perhaps some other pcmcia card spit out these weird packets
occasionally.

My own Micron laptop with a xircom pcmcia card has spit
out these packets for no apparent reason; however, this does
not mean that it is the only hardware in existence that spits
these packets out.

Jud.

Wozz wrote:

> On Wed, Jul 19, 2000 at 04:23:00PM +0200, Pascal Bouchareine wrote:
> > just my $0.01 but :
> >
> > On Tue, Jul 18, 2000 at 07:37:49PM -0600, Wozz wrote:
> > > Anyone have any idea what I might be seeing here? I just turned up an NFR
> > > probe at Exodus in DC, and I'm seeing all sorts of traffic as follows
> > >
> > > NFR: dc-probefe
> > > Source: 85.85.85.85
> > > Destination: 85.85.85.85
> >
> > 0x55555555 as a source ip.
> >
> > > Type of attack: Land
> >
> > triggered because of the short size/buggy pointers, i guess.
> >
> > > Protocol: 6
> > > Src Port: 21845
> > > DST Port: 21845
> >
> > 21845, which is 0x5555. fun. this information is not interesting to you,
> > as i bet this is a (buggy) "0x55 frame" and doesn't have anything to do with
> > 85.85.85.85 or a land attack. anyway, the bug's still there.
> >
>
> Thats what I suspected, that it was some sort of bug.
>
> > > ICMP Type: 0
> > > ICMP Code: 0
> > > Packet:
> > >
> > > E\\x00\\x02`\\xc6\\x01\\x00\\xff\\x06\\xd7\\xf6UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
> >
> > U is 0x55, confirmed. you have a memset'ed area of 0x55. is it at the
> > network level, or at the "bpf" level ?
>
> I'm not sure, as I said, I don't see it on the network when I do a tcpdump on my
> firewall
>
> >
> > > My probe is sitting in front of my firewall box, and when I do a tcpdump on
> > > my firewall searching for any of these packets, nothing comes up. The only
> > > thing I can figure is that this is some sort of weird packet thats being
> > > misinterpreted by NFR. Perhaps some sort of ethernet broadcast being used
> > > by Exodus's Foundry VLAN's?
> >
> > are you sure your firewall doesn't filter these packets before passing
> > them to the packet capture interface ?
>
> The probe is outside the firewall (between our external router and the firewall)
>
> >
> > this sounds like a strange memory corruption, at the ethernet level
> > or at the NFR level.. very interesting :)
> >
>
> No kidding ;)
>
> Wish I could figure it out though, as its filling up the alerts window ;)
>
> Any NFR people have any ideas?
>
> ****************************************************************
> TO POST A MESSAGE on this list, send it to nfr-usersnfr.net.
> TO UNSUBSCRIBE from this list, send the following text in the
> message body (not subject line) to majordomonfr.net
>
> unsubscribe nfr-users Your-Email-Address
> ****************************************************************