Re: Wierd ICMP activity

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Marc Reynolds [MSFT] (marcrey_at_online.microsoft.com)
Date: 02/10/04 

Date: Tue, 10 Feb 2004 12:59:24 -0600

Sounds like the ICMP's used by Slow Link detection. See 816045 A Fast Link
May Be Detected as a Slow Link Because of Network ICMP
http://support.microsoft.com/?id=816045 

-- 
Thanks,
Marc Reynolds
Microsoft Technical Support
This posting is provided "AS IS" with no warranties, and confers no rights.
"David Scott" <davidscott@mtgroup.com> wrote in message
news:OyS9vKA8DHA.2168@TK2MSFTNGP12.phx.gbl...
> I have two networks geographically (and logically) separated between two
> cities, joined via a PPTP VPN using ISA server. A network dump has shown
me
> some weird ICMP activity I'm trying to chase down.
>
> I have hosts on one network chattering to a Windows 2000 domain controller
> in the other location with some huge ICMP packets. Tunnelled in the packet
> is a Microsoft logo image (notice the JFIF header). A sample of the ICMP
> data is below (this is from the intrusions.org list - you can get a full
> dump here http://www.incidents.org/archives/intrusions/msg14866.html)
>
> > 14:20:29.334511 192.168.19.47 > xxx.xxx.xxx.xxx: icmp: echo request
> > (frag 7715:1480@x+) (ttl 128, len 1500)
> > 0x0000  4500 05dc 1e23 2000 8001 e487 c0a8 132f E....#........./
> > 0x0010  xxxx xxxx 0800 08d5 0200 b100 ffd8 fffe .m22............
> > 0x0020  0008 5741 4e47 3202 ffe0 0010 4a46 4946 ..WANG2.....JFIF
> > 0x0030  0001 0101 0060 0060 0000 ffdb 0043 0010 .....`.`.....C..
> > 0x0040  0b0c 0e0c 0a10 0e0d 0e12 1110 1318 281a ..............(.
> > 0x0050  1816 1618 3123 251d 283a 333d 3c39 3338 ....1#%.(:3=<938
> > 0x0060  3740 485c 4e40 4457 4537 3850 6d51 575f 7@x\N@xxxxxxxxxx
> > 0x0070  6267 6867 3e4d 7179 7064 785c 6567 63ff bghg>Mqypdx\egc.
> > 0x0080  db00 4301 1112 1218 1518 2f1a 1a2f 6342 ..C......./../cB
> > 0x0090  3842 6363 6363 6363 6363 6363 6363 6363 8Bcccccccccccccc
> > 0x00a0  6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
> > 0x00b0  6363 6363 6363 6363 6363 6363 6363 6363 cccccccccccccccc
> > 0x00c0  6363 6363 ffc0 0011 0800 2600 9e03 0121 cccc......&....!
>
> I've googled and googled, but can't find a definitive answer for this
> transfer and if it's covert or if it's something that MS is doing to
monitor
> connections via slow links, or WHAT? Can anyone point me to an answer?
>
> Thanks,
>
> David Scott
>
>

Relevant Pages

  • Re: Group Policy not applied after reboot (intermittent)
    ... Network speed, especially at logon times, can play a role here. ... When you use the /force command in GPUDATE, the client bypasses any GPO ... Enbling slow link detection with a value of 0 in your policies may help ...
    (microsoft.public.windows.group_policy)
  • Re: Removing ping/icmp from a network
    ... A ping sweep isn't the only way to do network exploration. ... ICMP is a protocol, not a service. ... Security by design is always best, but hiding the presence of a device ...
    (Security-Basics)
  • Re: How to prevent system from replying to Ping (ICMP Echo) requests?
    ... blocking ICMP does not impact anything useful ... large corporation broke their "VPN" by disallowing echo requests. ... > network from unknown locations, but, as I'm smarter than that, I set the ... The "stealth those pings" scenario would seem to really only ...
    (comp.security.firewalls)
  • Re: Removing ping/icmp from a network
    ... You can limit ICMP. ... And I did say, as well as others, allow from trusted sources. ... the network and the answer is: ... servers I do allow some ICMP messages to/from ...
    (Security-Basics)
  • Re: Ok to let all ICMP traffic through firewall?
    ... >>need to have ICMP responses form our networks get it, ... so now you are saying that you block outgoing ICMP ... > Tell me - what is the risk of sending an ICMP packet to anyone? ... it's not a general risk to your network because they ...
    (comp.security.misc)