[Snort-users] Help with Misc Large ICMP Packet (snort log)

Rich Adamson radamson at ...2127...
Wed Oct 10 06:23:16 EDT 2001


Wally,

I researched this same type of issue a month or so ago. Turned out this 
company is using some third-party software that attempts to load balance
multiple data centers scattered around the world by sending hugh icmp's
to customer sites (yours), and measuring the responsiveness (and probably
the TTL) from each of their data centers. You should see these same type 
packets arriving from multiple source IPs, and recur at regular intervals.

If you chase that a little further by researching the source IP's, you'll
find this company has purchased several other companies (presumable 
some .com's that apparently couldn't make it). You are receiving those
icmp's because someone at your site visited their site at some earlier
time, and their infrastructure is now attempting to load balance their
data center traffic.

Rich

------------------------
> Hello,
> Our snort log has been kicking these out for a couple of days.  I get about 300 a day from misc 
addresses spread all over the Internet.  The packed says to
> respond to ops at ...3759..., but of course I get no response.  Is this a false positive of some kind?  I 
thought at first is monitoring software but I'm getting so
> many that I'm starting to wonder.
> 
> Thanks in advance.
> 
> Wally Hass
> 
> [**] MISC Large ICMP Packet [**]
> 10/10-03:04:34.984262 216.44.45.4 -> 216.217.xx.x
> ICMP TTL:239 TOS:0x0 ID:25401 IpLen:20 DgmLen:1020 DF
> Type:8  Code:0  ID:22272   Seq:22752  ECHO
> 6D 61 69 6C 74 6F 3A 6F 70 73 40 64 69 67 69 73  mailto:ops at ...3760...
> 6C 65 2E 63 6F 6D 20 66 6F 72 20 71 75 65 73 74  le.com for quest
> 69 6F 6E 73 20 20 20 20 54 68 69 73 20 49 43 4D  ions    This ICM
> 50 20 45 43 48 4F 20 52 45 51 55 45 53 54 2F 52  P ECHO REQUEST/R
> 45 50 4C 59 20 69 73 20 70 61 72 74 20 6F 66 20  EPLY is part of
> 74 68 65 20 72 65 61 6C 2D 74 69 6D 65 20 6E 65  the real-time ne
> 74 77 6F 72 6B 20 6D 6F 6E 69 74 6F 72 69 6E 67  twork monitoring
> 70 65 72 66 6F 72 6D 65 64 20 62 79 20 44 69 67  performed by Dig
> 69 74 61 6C 20 49 73 6C 61 6E 64 20 49 6E 63 2E  ital Island Inc.
> 20 20 49 74 20 69 73 20 6E 6F 74 20 61 6E 20 61    It is not an a
> 74 74 61 63 6B 2E 20 20 49 66 20 79 6F 75 20 68  ttack.  If you h
> 61 76 65 71 75 65 73 74 69 6F 6E 73 20 70 6C 65  avequestions ple
> 61 73 65 20 63 6F 6E 74 61 63 74 20 6F 70 73 40  ase contact ops@
> 64 69 67 69 73 6C 65 2E 63 6F 6D 00 00 00 00 00  digisle.com.....
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
---------------End of Original Message-----------------





More information about the Snort-users mailing list