Icmp reply but no stimulus.

Lou Goddard lgoddard at camptv.com
Fri Dec 10 19:35:54 UTC 2004 

My nameservers are receiving ICMP reply packets from a few of its =
clients.  The interesting part is that the nameservers are not eliciting =
the replies.

I was able to find one other person who has observed this.  I contacted =
the author some time ago, but he had not revealed the source of these =
mysterious packets.
http://seclists.org/lists/incidents/2003/Dec/0092.html

Has anyone else noticed this?


Here is a text output from tcpdump:
May 14 14:06:16.470274 65.79.148.163 > 216.143.113.50: icmp: echo reply =
(id:001d seq:11106) (ttl 120, id 45909)
  0000: 4500 0040 b355 0000 7801 6fb3 414f 94a3  E..@=B3U..x.o=B3AO.=A3
  0010: d88f 7132 0000 ddaa 001d 2b62 3e71 6410  =D8.q2..=DD=AA..+b>qd.
  0020: 4545 4545 4545 4545 4545 4545 4545 4545  EEEEEEEEEEEEEEEE
  0030: 4545 4545 4545 4545 4545 4545 4545 4545  EEEEEEEEEEEEEEEE

May 14 14:06:21.472312 65.79.148.163 > 216.143.113.50: icmp: echo reply =
(id:001d seq:11106) (ttl 120, id 45911)
  0000: 4500 0040 b357 0000 7801 6fb1 414f 94a3  E..@=B3W..x.o=B1AO.=A3
  0010: d88f 7132 0000 5597 001d 2b62 c684 6410  =D8.q2..U...+b=C6.d.
  0020: 4545 4545 4545 4545 4545 4545 4545 4545  EEEEEEEEEEEEEEEE
  0030: 4545 4545 4545 4545 4545 4545 4545 4545  EEEEEEEEEEEEEEEE

May 14 14:06:26.473578 65.79.148.163 > 216.143.113.50: icmp: echo reply =
(id:001d seq:11106) (ttl 120, id 45913)
  0000: 4500 0040 b359 0000 7801 6faf 414f 94a3  E..@=B3Y..x.o=AFAO.=A3
  0010: d88f 7132 0000 cd83 001d 2b62 4e98 6410  =D8.q2..=CD...+bN.d.
  0020: 4545 4545 4545 4545 4545 4545 4545 4545  EEEEEEEEEEEEEEEE
  0030: 4545 4545 4545 4545 4545 4545 4545 4545  EEEEEEEEEEEEEEEE

May 14 14:06:31.475432 65.79.148.163 > 216.143.113.50: icmp: echo reply =
(id:001d seq:11106) (ttl 120, id 45915)
  0000: 4500 0040 b35b 0000 7801 6fad 414f 94a3  E..@=B3[..x.o=ADAO.=A3
  0010: d88f 7132 0000 4570 001d 2b62 d6ab 6410  =D8.q2..Ep..+b=D6=ABd.
  0020: 4545 4545 4545 4545 4545 4545 4545 4545  EEEEEEEEEEEEEEEE
  0030: 4545 4545 4545 4545 4545 4545 4545 4545  EEEEEEEEEEEEEEEE

--Lou Goddard

More information about the bind-users mailing list