dmeissnerPUNCHNETWORKS.COM

• Next message: Jaap: "Which webserver exploit is this?"
• Previous message: Talisker: "Re: Port 38293"
• Maybe in reply to: Wozz: "85.85.85.85 weirdness"
• Maybe reply: David Meissner: "Re: 85.85.85.85 weirdness"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This looks familiar to me from when I used to run Novell's LANAlyzer on a
problematic network. I think Keith is right, this is a sign of ethernet
noise of some kind. Maybe late collisions leaving many fragmented packets?

David Meissner

-----Original Message-----
From: HESS,KEITH (HP-Boise,ex1) [mailto:keith_hessHP.COM]
Sent: Wednesday, July 19, 2000 12:20 PM
To: INCIDENTSSECURITYFOCUS.COM
Subject: Re: 85.85.85.85 weirdness

FYI,

Looks like a binary 1010.... Perhaps an ethernet preable run away from a
defective NIC or hub port some place.

                -----Original Message-----
                From: Corbin Siddall [mailto:Csiddallareawidenet.com]
                Sent: Wednesday, July 19, 2000 8:03 AM
                To: incidentssecurityfocus.com;
wozz+incidentswookie.net
                Cc: nfr-usersnfr.net
                Subject: Re: 85.85.85.85 weirdness

                I have seen the LAND 85.85.85.85 attacks on our network a
few months back. We were having a problem with one of our routers at the
same time. When I swapped out the router, NFR no longer picked up those
messages.

        
-------------------------------------------------------------
                Corbin B. Siddall, MCSE, CCNA, CCDA, CCA
                Senior Network Engineer

                Area-Wide Networking Technologies, INC.
                "Let the Ring of Excellence keep your 'Net' working!"

                Web: http://www.areawidenet.com
                Phone: 217.359.8041
                FAX: 217.359.8113

>>> Wozz <wozz+incidentswookie.net> 07/18/00 08:37PM >>>
                Anyone have any idea what I might be seeing here? I just
turned up an NFR
                probe at Exodus in DC, and I'm seeing all sorts of traffic
as follows

                NFR: dc-probefe
                Source: 85.85.85.85
                Destination: 85.85.85.85
                Type of attack: Land
                Protocol: 1
                Src Port: 0
                DST Port: 0
                ICMP Type: 85
                ICMP Code: 85
                Packet:

        
E\\x00\\x008\\x80\\x1e\\x00\\x00\\x01\\x01UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
                Count: 1

                I also get occasional variations as follows

                NFR: dc-probefe
                Source: 85.85.85.85
                Destination: 85.85.85.85
                Type of attack: Land
                Protocol: 6
                Src Port: 21845
                DST Port: 21845
                ICMP Type: 0
                ICMP Code: 0
                Packet:

        
E\\x00\\x02`\\xc6\\x01\\x00\\xff\\x06\\xd7\\xf6UUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
                Count: 1

                and

                NFR: dc-probefe
                Source: 85.85.85.85
                Destination: 85.85.85.85
                Type of attack: Land
                Protocol: 17
                Src Port: 21845
                DST Port: 21845
                ICMP Type: 0
                ICMP Code: 0
                Packet:

        
E\\x00\\x00""\\xe1\\xd3\\x00\\x00\\x11\\x12UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
                Count: 1

                My probe is sitting in front of my firewall box, and when I
do a tcpdump on
                my firewall searching for any of these packets, nothing
comes up. The only
                thing I can figure is that this is some sort of weird packet
thats being
                misinterpreted by NFR. Perhaps some sort of ethernet
broadcast being used
                by Exodus's Foundry VLAN's?

                Just curious if anyone else has seen anything like this on
an NFR system or
                otherwise.

        
****************************************************************
                TO POST A MESSAGE on this list, send it to
nfr-usersnfr.net.
                TO UNSUBSCRIBE from this list, send the following text in
the
                message body (not subject line) to majordomonfr.net

                unsubscribe nfr-users Your-Email-Address
        
****************************************************************

        
****************************************************************
                TO POST A MESSAGE on this list, send it to
nfr-usersnfr.net.
                TO UNSUBSCRIBE from this list, send the following text in
the
                message body (not subject line) to majordomonfr.net

                unsubscribe nfr-users Your-Email-Address
        
****************************************************************

• Next message: Jaap: "Which webserver exploit is this?"
• Previous message: Talisker: "Re: Port 38293"
• Maybe in reply to: Wozz: "85.85.85.85 weirdness"
• Maybe reply: David Meissner: "Re: 85.85.85.85 weirdness"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]