Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Strange ICMP traffic seen in destination - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Strange ICMP traffic seen in destination

Reader Ronnie provided us today a packet capture with a very interesting situation:

  1. Several packets are arriving, all ICMP echo request from unrelated address:
    ICMP sources
  2. All ICMP packets being sent to the destination address does not have data, leaving the packet with the 20 bytes for the IP header and 8 bytes for the ICMP echo request without data
    ICMP data
  3. All the unrelated address sent 6 packets: One with normal TTL and 5 with incremental TTL:
    6 ICMP packets for each destination

Seems to be those packets are trying to map a route, but in a very particular way. Since there are many unrelated IP addresses trying to do the same, maybe something is trying to map routes to specific address to do something not good. The destination IP address is an ADSL client.

Is anyone else seeing these kind of packets? If you do, we definitely want to hear from you. Let us know!

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

185 Posts
ISC Handler
Have seen similar UDP based traceroute traffic. The sources listed with low TTLs are registered or partnered with CDNetworks, who provide a global Content Delivery Network (CDN) service from locations including US, Russia, China and Korea. These traceroutes therefore appear to be one of the methods by which this company determines the shortest global route to clients for web content delivery.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!