Icmp reply but no stimulus.

Sten Carlsen ccc2716 at vip.cybercity.dk
Fri Dec 10 21:33:24 UTC 2004 

Look at NMAP, it may not be this program, but it looks like the idea in 
it's "stealth scan".
Lou Goddard wrote:

>My nameservers are receiving ICMP reply packets from a few of its =
>clients.  The interesting part is that the nameservers are not eliciting =
>the replies.
>
>I was able to find one other person who has observed this.  I contacted =
>the author some time ago, but he had not revealed the source of these =
>mysterious packets.
>http://seclists.org/lists/incidents/2003/Dec/0092.html
>
>Has anyone else noticed this?
>
>
>Here is a text output from tcpdump:
>May 14 14:06:16.470274 65.79.148.163 > 216.143.113.50: icmp: echo reply =
>(id:001d seq:11106) (ttl 120, id 45909)
>  0000: 4500 0040 b355 0000 7801 6fb3 414f 94a3  E..@=B3U..x.o=B3AO.=A3
>  0010: d88f 7132 0000 ddaa 001d 2b62 3e71 6410  =D8.q2..=DD=AA..+b>qd.
>  0020: 4545 4545 4545 4545 4545 4545 4545 4545  EEEEEEEEEEEEEEEE
>  0030: 4545 4545 4545 4545 4545 4545 4545 4545  EEEEEEEEEEEEEEEE
>
>May 14 14:06:21.472312 65.79.148.163 > 216.143.113.50: icmp: echo reply =
>(id:001d seq:11106) (ttl 120, id 45911)
>  0000: 4500 0040 b357 0000 7801 6fb1 414f 94a3  E..@=B3W..x.o=B1AO.=A3
>  0010: d88f 7132 0000 5597 001d 2b62 c684 6410  =D8.q2..U...+b=C6.d.
>  0020: 4545 4545 4545 4545 4545 4545 4545 4545  EEEEEEEEEEEEEEEE
>  0030: 4545 4545 4545 4545 4545 4545 4545 4545  EEEEEEEEEEEEEEEE
>
>May 14 14:06:26.473578 65.79.148.163 > 216.143.113.50: icmp: echo reply =
>(id:001d seq:11106) (ttl 120, id 45913)
>  0000: 4500 0040 b359 0000 7801 6faf 414f 94a3  E..@=B3Y..x.o=AFAO.=A3
>  0010: d88f 7132 0000 cd83 001d 2b62 4e98 6410  =D8.q2..=CD...+bN.d.
>  0020: 4545 4545 4545 4545 4545 4545 4545 4545  EEEEEEEEEEEEEEEE
>  0030: 4545 4545 4545 4545 4545 4545 4545 4545  EEEEEEEEEEEEEEEE
>
>May 14 14:06:31.475432 65.79.148.163 > 216.143.113.50: icmp: echo reply =
>(id:001d seq:11106) (ttl 120, id 45915)
>  0000: 4500 0040 b35b 0000 7801 6fad 414f 94a3  E..@=B3[..x.o=ADAO.=A3
>  0010: d88f 7132 0000 4570 001d 2b62 d6ab 6410  =D8.q2..Ep..+b=D6=ABd.
>  0020: 4545 4545 4545 4545 4545 4545 4545 4545  EEEEEEEEEEEEEEEE
>  0030: 4545 4545 4545 4545 4545 4545 4545 4545  EEEEEEEEEEEEEEEE
>
>--Lou Goddard
>
>
>  
>

-- 
Best regards

Sten Carlsen

Let HIM who has an empty INBOX send the first mail.



-- Binary/unsupported file stripped by Ecartis --
-- Type: application/x-pkcs7-signature
-- File: smime.p7s
-- Desc: S/MIME Cryptographic Signature

More information about the bind-users mailing list