|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: stefmit
IX.NETCOM.COMDate: Mon Jan 22 2001 - 12:46:48 CST
As of last week I started seeing roughly 20-30MB/day of snort
logs for all my DMZ machines, with the following three types of
packets (NOTE: I use private IP addressing scheme for internal
machines):
----------------------- 1st type -----------------------------------------------------------
------- from DMZ machines to internal machines OR Internet valid IP
addresses ----------------------------
[**] ICMP Unknown Type [**]
01/11-09:13:05.662324 8:0:36:1:2:A8 -> 8:0:20:90:31:78
type:0x800 len:0x5EA
DMZ machine -> random (?!?) IP of internal hosts OR valid routable
IP addresses (random?!?)
ICMP TTL:128 TOS:0x0 ID:19309 DF
ID:48282 Seq:61662 ECHO REPLY
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
and on and on ... until the whole length (0x5EA = 1514 decimal)
---------------------- 2nd type ------------------------------------------------------
----- DMZ machines to internal hosts---------------------------------------
[**] ICMP Unknown Type [**]
01/11-09:43:46.711544 0:E0:29:16:BA:CE -> 8:0:20:90:31:78
type:0x800 len:0x4A
DMZ machine -> internal machines
ICMP TTL:128 TOS:0x0 ID:56701
ID:1 Seq:2 ECHO REPLY
61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70
abcdefghijklmnop
71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69
qrstuvwabcdefghi
--------------------------- 3rd type ---------------------------------------------------
------- DMZ machines to internal name servers --------------------------
[**] ICMP Destination Unreachable (Precedence Cutoff in effect) [**]
01/18-10:49:15.773963 0:D0:B7:44:2A:53 -> 8:0:20:90:31:78
type:0x800 len:0x46
DMZ machines -> internal name servers
ICMP TTL:128 TOS:0x0 ID:31815
DESTINATION UNREACHABLE: PORT UNREACHABLE
00 00 00 00 45 00 00 49 07 2B 00 00 7E 11 EA C0 ....E..I.+..~...
AC 10 04 B5 CD DB CC 17 00 35 08 BD 00 35 60 A2 .........5...5`.
... and I am talking of literally tens of megs of logs of these daily.
Any idea what could cause such a behavior? Anybody familiar with
these? I have looked up the whitehats site, but the only one
mentioned from the above is the middle one, which looks like W2K
problems ?!?
TIA,
Stef
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]