Wierd ICMP activity

David Scott · Feb 10, 2004

I have two networks geographically (and logically) separated between two
cities, joined via a PPTP VPN using ISA server. A network dump has shown me
some weird ICMP activity I'm trying to chase down.

I have hosts on one network chattering to a Windows 2000 domain controller
in the other location with some huge ICMP packets. Tunnelled in the packet
is a Microsoft logo image (notice the JFIF header). A sample of the ICMP
data is below (this is from the intrusions.org list - you can get a full
dump here http://www.incidents.org/archives/intrusions/msg14866.html)

14:20:29.334511 192.168.19.47 > xxx.xxx.xxx.xxx: icmp: echo request
(frag 7715:1480@x+) (ttl 128, len 1500)
0x0000 4500 05dc 1e23 2000 8001 e487 c0a8 132f E....#........./
0x0010 xxxx xxxx 0800 08d5 0200 b100 ffd8 fffe .m22............
0x0020 0008 5741 4e47 3202 ffe0 0010 4a46 4946 ..WANG2.....JFIF
0x0030 0001 0101 0060 0060 0000 ffdb 0043 0010 .....`.`.....C..
0x0040 0b0c 0e0c 0a10 0e0d 0e12 1110 1318 281a ..............(.
0x0050 1816 1618 3123 251d 283a 333d 3c39 3338 ....1#%.3=<938
0x0060 3740 485c 4e40 4457 4537 3850 6d51 575f 7@x\N@xxxxxxxxxx
0x0070 6267 6867 3e4d 7179 7064 785c 6567 63ff bghg>Mqypdx\egc.
0x0080 db00 4301 1112 1218 1518 2f1a 1a2f 6342 ..C......./../cB
0x0090 3842 6363 6363 6363 6363 6363 6363 6363 8Bcccccccccccccc
0x00a0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
0x00b0 6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
0x00c0 6363 6363 ffc0 0011 0800 2600 9e03 0121 cccc......&....!

I've googled and googled, but can't find a definitive answer for this
transfer and if it's covert or if it's something that MS is doing to monitor
connections via slow links, or WHAT? Can anyone point me to an answer?

Thanks,

David Scott

Marc Reynolds [MSFT] · Feb 10, 2004

Sounds like the ICMP's used by Slow Link detection. See 816045 A Fast Link
May Be Detected as a Slow Link Because of Network ICMP
http://support.microsoft.com/?id=816045

--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.

David Scott · Feb 11, 2004

Thanks, Mark. You're probably right, based on the fragmentation information
sent back from the remote host to the DC. One thing, though - I don't see
anything in the article about the tunneling of the Microsoft image through
ICMP. Do you know if this is just undocumented? The reason I want to nail
this down is to rule out any possible Trojan activity.

Thanks,

David

Marc Reynolds [MSFT] · Feb 11, 2004

To my knowledge it is not documented, but I've seen this quite a few times
in the past.

--

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.

Wierd ICMP activity

David Scott

Marc Reynolds [MSFT]

David Scott

Marc Reynolds [MSFT]