Wierd ICMP activity

Discussion in 'Microsoft Windows 2000 Networking' started by David Scott, Feb 10, 2004.

  1. David Scott

    David Scott Guest

    I have two networks geographically (and logically) separated between two
    cities, joined via a PPTP VPN using ISA server. A network dump has shown me
    some weird ICMP activity I'm trying to chase down.

    I have hosts on one network chattering to a Windows 2000 domain controller
    in the other location with some huge ICMP packets. Tunnelled in the packet
    is a Microsoft logo image (notice the JFIF header). A sample of the ICMP
    data is below (this is from the intrusions.org list - you can get a full
    dump here http://www.incidents.org/archives/intrusions/msg14866.html)

    > 14:20:29.334511 192.168.19.47 > xxx.xxx.xxx.xxx: icmp: echo request
    > (frag 7715:1480@x+) (ttl 128, len 1500)
    > 0x0000 4500 05dc 1e23 2000 8001 e487 c0a8 132f E....#........./
    > 0x0010 xxxx xxxx 0800 08d5 0200 b100 ffd8 fffe .m22............
    > 0x0020 0008 5741 4e47 3202 ffe0 0010 4a46 4946 ..WANG2.....JFIF
    > 0x0030 0001 0101 0060 0060 0000 ffdb 0043 0010 .....`.`.....C..
    > 0x0040 0b0c 0e0c 0a10 0e0d 0e12 1110 1318 281a ..............(.
    > 0x0050 1816 1618 3123 251d 283a 333d 3c39 3338 ....1#%.:)3=<938
    > 0x0060 3740 485c 4e40 4457 4537 3850 6d51 575f 7@x\N@xxxxxxxxxx
    > 0x0070 6267 6867 3e4d 7179 7064 785c 6567 63ff bghg>Mqypdx\egc.
    > 0x0080 db00 4301 1112 1218 1518 2f1a 1a2f 6342 ..C......./../cB
    > 0x0090 3842 6363 6363 6363 6363 6363 6363 6363 8Bcccccccccccccc
    > 0x00a0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
    > 0x00b0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
    > 0x00c0 6363 6363 ffc0 0011 0800 2600 9e03 0121 cccc......&....!


    I've googled and googled, but can't find a definitive answer for this
    transfer and if it's covert or if it's something that MS is doing to monitor
    connections via slow links, or WHAT? Can anyone point me to an answer?

    Thanks,

    David Scott
     
    David Scott, Feb 10, 2004
    #1
    1. Advertisements

  2. Sounds like the ICMP's used by Slow Link detection. See 816045 A Fast Link
    May Be Detected as a Slow Link Because of Network ICMP
    http://support.microsoft.com/?id=816045

    --

    Thanks,
    Marc Reynolds
    Microsoft Technical Support

    This posting is provided "AS IS" with no warranties, and confers no rights.


    "David Scott" <> wrote in message
    news:...
    > I have two networks geographically (and logically) separated between two
    > cities, joined via a PPTP VPN using ISA server. A network dump has shown

    me
    > some weird ICMP activity I'm trying to chase down.
    >
    > I have hosts on one network chattering to a Windows 2000 domain controller
    > in the other location with some huge ICMP packets. Tunnelled in the packet
    > is a Microsoft logo image (notice the JFIF header). A sample of the ICMP
    > data is below (this is from the intrusions.org list - you can get a full
    > dump here http://www.incidents.org/archives/intrusions/msg14866.html)
    >
    > > 14:20:29.334511 192.168.19.47 > xxx.xxx.xxx.xxx: icmp: echo request
    > > (frag 7715:1480@x+) (ttl 128, len 1500)
    > > 0x0000 4500 05dc 1e23 2000 8001 e487 c0a8 132f E....#........./
    > > 0x0010 xxxx xxxx 0800 08d5 0200 b100 ffd8 fffe .m22............
    > > 0x0020 0008 5741 4e47 3202 ffe0 0010 4a46 4946 ..WANG2.....JFIF
    > > 0x0030 0001 0101 0060 0060 0000 ffdb 0043 0010 .....`.`.....C..
    > > 0x0040 0b0c 0e0c 0a10 0e0d 0e12 1110 1318 281a ..............(.
    > > 0x0050 1816 1618 3123 251d 283a 333d 3c39 3338 ....1#%.:)3=<938
    > > 0x0060 3740 485c 4e40 4457 4537 3850 6d51 575f 7@x\N@xxxxxxxxxx
    > > 0x0070 6267 6867 3e4d 7179 7064 785c 6567 63ff bghg>Mqypdx\egc.
    > > 0x0080 db00 4301 1112 1218 1518 2f1a 1a2f 6342 ..C......./../cB
    > > 0x0090 3842 6363 6363 6363 6363 6363 6363 6363 8Bcccccccccccccc
    > > 0x00a0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
    > > 0x00b0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
    > > 0x00c0 6363 6363 ffc0 0011 0800 2600 9e03 0121 cccc......&....!

    >
    > I've googled and googled, but can't find a definitive answer for this
    > transfer and if it's covert or if it's something that MS is doing to

    monitor
    > connections via slow links, or WHAT? Can anyone point me to an answer?
    >
    > Thanks,
    >
    > David Scott
    >
    >
     
    Marc Reynolds [MSFT], Feb 10, 2004
    #2
    1. Advertisements

  3. David Scott

    David Scott Guest

    Thanks, Mark. You're probably right, based on the fragmentation information
    sent back from the remote host to the DC. One thing, though - I don't see
    anything in the article about the tunneling of the Microsoft image through
    ICMP. Do you know if this is just undocumented? The reason I want to nail
    this down is to rule out any possible Trojan activity.

    Thanks,

    David

    "Marc Reynolds [MSFT]" <> wrote in message
    news:%...
    > Sounds like the ICMP's used by Slow Link detection. See 816045 A Fast Link
    > May Be Detected as a Slow Link Because of Network ICMP
    > http://support.microsoft.com/?id=816045
    >
    > --
    >
    > Thanks,
    > Marc Reynolds
    > Microsoft Technical Support
    >
    > This posting is provided "AS IS" with no warranties, and confers no

    rights.
    >
    >
    > "David Scott" <> wrote in message
    > news:...
    > > I have two networks geographically (and logically) separated between two
    > > cities, joined via a PPTP VPN using ISA server. A network dump has shown

    > me
    > > some weird ICMP activity I'm trying to chase down.
    > >
    > > I have hosts on one network chattering to a Windows 2000 domain

    controller
    > > in the other location with some huge ICMP packets. Tunnelled in the

    packet
    > > is a Microsoft logo image (notice the JFIF header). A sample of the ICMP
    > > data is below (this is from the intrusions.org list - you can get a full
    > > dump here http://www.incidents.org/archives/intrusions/msg14866.html)
    > >
    > > > 14:20:29.334511 192.168.19.47 > xxx.xxx.xxx.xxx: icmp: echo request
    > > > (frag 7715:1480@x+) (ttl 128, len 1500)
    > > > 0x0000 4500 05dc 1e23 2000 8001 e487 c0a8 132f E....#........./
    > > > 0x0010 xxxx xxxx 0800 08d5 0200 b100 ffd8 fffe .m22............
    > > > 0x0020 0008 5741 4e47 3202 ffe0 0010 4a46 4946 ..WANG2.....JFIF
    > > > 0x0030 0001 0101 0060 0060 0000 ffdb 0043 0010 .....`.`.....C..
    > > > 0x0040 0b0c 0e0c 0a10 0e0d 0e12 1110 1318 281a ..............(.
    > > > 0x0050 1816 1618 3123 251d 283a 333d 3c39 3338 ....1#%.:)3=<938
    > > > 0x0060 3740 485c 4e40 4457 4537 3850 6d51 575f 7@x\N@xxxxxxxxxx
    > > > 0x0070 6267 6867 3e4d 7179 7064 785c 6567 63ff bghg>Mqypdx\egc.
    > > > 0x0080 db00 4301 1112 1218 1518 2f1a 1a2f 6342 ..C......./../cB
    > > > 0x0090 3842 6363 6363 6363 6363 6363 6363 6363 8Bcccccccccccccc
    > > > 0x00a0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
    > > > 0x00b0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
    > > > 0x00c0 6363 6363 ffc0 0011 0800 2600 9e03 0121 cccc......&....!

    > >
    > > I've googled and googled, but can't find a definitive answer for this
    > > transfer and if it's covert or if it's something that MS is doing to

    > monitor
    > > connections via slow links, or WHAT? Can anyone point me to an answer?
    > >
    > > Thanks,
    > >
    > > David Scott
    > >
    > >

    >
    >
     
    David Scott, Feb 11, 2004
    #3
  4. To my knowledge it is not documented, but I've seen this quite a few times
    in the past.


    --

    Thanks,
    Marc Reynolds
    Microsoft Technical Support

    This posting is provided "AS IS" with no warranties, and confers no rights.


    "David Scott" <> wrote in message
    news:...
    > Thanks, Mark. You're probably right, based on the fragmentation

    information
    > sent back from the remote host to the DC. One thing, though - I don't see
    > anything in the article about the tunneling of the Microsoft image through
    > ICMP. Do you know if this is just undocumented? The reason I want to nail
    > this down is to rule out any possible Trojan activity.
    >
    > Thanks,
    >
    > David
    >
    > "Marc Reynolds [MSFT]" <> wrote in message
    > news:%...
    > > Sounds like the ICMP's used by Slow Link detection. See 816045 A Fast

    Link
    > > May Be Detected as a Slow Link Because of Network ICMP
    > > http://support.microsoft.com/?id=816045
    > >
    > > --
    > >
    > > Thanks,
    > > Marc Reynolds
    > > Microsoft Technical Support
    > >
    > > This posting is provided "AS IS" with no warranties, and confers no

    > rights.
    > >
    > >
    > > "David Scott" <> wrote in message
    > > news:...
    > > > I have two networks geographically (and logically) separated between

    two
    > > > cities, joined via a PPTP VPN using ISA server. A network dump has

    shown
    > > me
    > > > some weird ICMP activity I'm trying to chase down.
    > > >
    > > > I have hosts on one network chattering to a Windows 2000 domain

    > controller
    > > > in the other location with some huge ICMP packets. Tunnelled in the

    > packet
    > > > is a Microsoft logo image (notice the JFIF header). A sample of the

    ICMP
    > > > data is below (this is from the intrusions.org list - you can get a

    full
    > > > dump here http://www.incidents.org/archives/intrusions/msg14866.html)
    > > >
    > > > > 14:20:29.334511 192.168.19.47 > xxx.xxx.xxx.xxx: icmp: echo request
    > > > > (frag 7715:1480@x+) (ttl 128, len 1500)
    > > > > 0x0000 4500 05dc 1e23 2000 8001 e487 c0a8 132f E....#........./
    > > > > 0x0010 xxxx xxxx 0800 08d5 0200 b100 ffd8 fffe .m22............
    > > > > 0x0020 0008 5741 4e47 3202 ffe0 0010 4a46 4946 ..WANG2.....JFIF
    > > > > 0x0030 0001 0101 0060 0060 0000 ffdb 0043 0010 .....`.`.....C..
    > > > > 0x0040 0b0c 0e0c 0a10 0e0d 0e12 1110 1318 281a ..............(.
    > > > > 0x0050 1816 1618 3123 251d 283a 333d 3c39 3338 ....1#%.:)3=<938
    > > > > 0x0060 3740 485c 4e40 4457 4537 3850 6d51 575f 7@x\N@xxxxxxxxxx
    > > > > 0x0070 6267 6867 3e4d 7179 7064 785c 6567 63ff bghg>Mqypdx\egc.
    > > > > 0x0080 db00 4301 1112 1218 1518 2f1a 1a2f 6342 ..C......./../cB
    > > > > 0x0090 3842 6363 6363 6363 6363 6363 6363 6363 8Bcccccccccccccc
    > > > > 0x00a0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
    > > > > 0x00b0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
    > > > > 0x00c0 6363 6363 ffc0 0011 0800 2600 9e03 0121 cccc......&....!
    > > >
    > > > I've googled and googled, but can't find a definitive answer for this
    > > > transfer and if it's covert or if it's something that MS is doing to

    > > monitor
    > > > connections via slow links, or WHAT? Can anyone point me to an answer?
    > > >
    > > > Thanks,
    > > >
    > > > David Scott
    > > >
    > > >

    > >
    > >

    >
    >
     
    Marc Reynolds [MSFT], Feb 11, 2004
    #4
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tony Burrow

    Change Default Timeout for Ping (ICMP settings)

    Tony Burrow, Jul 15, 2003, in forum: Microsoft Windows 2000 Networking
    Replies:
    1
    Views:
    10,320
    Marc Reynolds \(MSFT\)
    Jul 15, 2003
  2. Matt

    BUG: W2K can send incorrect ping reply when ICMP identifier = 0x0200

    Matt, Aug 28, 2003, in forum: Microsoft Windows 2000 Networking
    Replies:
    0
    Views:
    476
  3. Marc Reynolds [MSFT]

    RE: ICMP broadcast

    Marc Reynolds [MSFT], Aug 29, 2003, in forum: Microsoft Windows 2000 Networking
    Replies:
    1
    Views:
    238
    David
    Aug 31, 2003
  4. John H

    Orphan ICMP responses

    John H, Oct 22, 2003, in forum: Microsoft Windows 2000 Networking
    Replies:
    1
    Views:
    162
    Marc Reynolds [MSFT]
    Oct 30, 2003
  5. Stefan Mueller

    High ICMP activity

    Stefan Mueller, Nov 13, 2003, in forum: Microsoft Windows 2000 Networking
    Replies:
    2
    Views:
    365
    Stefan Mueller
    Nov 24, 2003
Loading...

Share This Page