[Snort-users] ISD171/ping zeros - One legit use

Rich Adamson radamson at ...2127...
Fri Jun 1 09:02:38 EDT 2001


Ofir,
I did search multiple web sites (including yours) and found nothing that
suggests 1500 byte icmp requests have been observed in DNS/Load Balancing
systems. Icmp's have been used for a lot of unusual things, however only 
one web site found any reference whatsoever to "IDS171" and that one
did not even provide a hint relative to the response below.
The original posting was intended to "add to" the list of what some might
consider legitimate icmp uses.
Rich
------------------------
> This is an issue dealt in this mailing lists again and again :)
> 
> You might wish to search the archives and find out that HPUX 11.x, 10.30,
> AIX 4.3.x has a 'unique' PMTU discovery process using ICMP Echo requests
> that produce the same patterns you described.
> 
> You can also read the appropriate section in my paper ICMP Usage in Scanning
> available from http://www.sys-security.com.
> -----Original Message-----
> FYI...
> 
> One of our sites has been observing:
>   09:49:15 snort[2907]: IDS171/ping zeros: x.x.x.x -> y.y.y.y
> from snort. The content of these ping packets is essentially 1500 bytes
> of zeros (0's), and were arriving from five IP addresses assigned around
> the world.
> 
> In researching the "source" of these packets, we received the following
> response from this well-known international company:
> 
> "What you are seeing is a Wide area load balancing system trying to figure
> out which of our 3 data centers is closest to you.  Someone on your network
> requested one of our websites, and our DNS/load balancing system tries
> probing your nameserver that the initial dns request came from, and
> instructs the other data centers to do the same to collect path metrics.
> Subsequent requests from your network result in being handed an IP for the
> closest/fastest data center.  http://www.f5.com has the relavent information
> on how the system works.
> 
> If you'd like to be put in an exclude list, we can stop the probes to your
> network.  It tries to be as quiet as possible, but is in no way malicious.
> It does tend to set off some IDS systems though."





More information about the Snort-users mailing list