OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: 85.85.85.85 weirdness
From: Pascal Bouchareine (pbGROLIER.FR)
Date: Wed Jul 19 2000 - 09:23:00 CDT

just my $0.01 but :

On Tue, Jul 18, 2000 at 07:37:49PM -0600, Wozz wrote:
> Anyone have any idea what I might be seeing here? I just turned up an NFR
> probe at Exodus in DC, and I'm seeing all sorts of traffic as follows
>
> NFR: dc-probefe
> Source: 85.85.85.85
> Destination: 85.85.85.85

0x55555555 as a source ip.

> Type of attack: Land

triggered because of the short size/buggy pointers, i guess.

> Protocol: 6
> Src Port: 21845
> DST Port: 21845

21845, which is 0x5555. fun. this information is not interesting to you,
as i bet this is a (buggy) "0x55 frame" and doesn't have anything to do with
85.85.85.85 or a land attack. anyway, the bug's still there.

> ICMP Type: 0
> ICMP Code: 0
> Packet:
>
> E\\x00\\x02`\\xc6\\x01\\x00\\xff\\x06\\xd7\\xf6UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU

U is 0x55, confirmed. you have a memset'ed area of 0x55. is it at the
network level, or at the "bpf" level ?

> My probe is sitting in front of my firewall box, and when I do a tcpdump on
> my firewall searching for any of these packets, nothing comes up. The only
> thing I can figure is that this is some sort of weird packet thats being
> misinterpreted by NFR. Perhaps some sort of ethernet broadcast being used
> by Exodus's Foundry VLAN's?

are you sure your firewall doesn't filter these packets before passing
them to the packet capture interface ?

this sounds like a strange memory corruption, at the ethernet level
or at the NFR level.. very interesting :)

> Just curious if anyone else has seen anything like this on an NFR system or
> otherwise.

i never had this *kind* of things. 

--
Kalou.

((void(*)())(char[]){0x31, 0xdb, 0x31, 0xc0, 0xb0, 0x01, 0xcd, 0x80})();