Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2011-01-07 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Ping and please give me your system time.

Published: 2011-01-07
Last Updated: 2011-01-07 20:41:03 UTC
by donald smith (Version: 1)
4 comment(s)

A reader noticed ICMP echo request packets attempting to enter
their network yesterday with the IP timestamp option set.  Upon
closer inspection, the payload of the ICMP echo contained a
URL which was http://iplane.cs.washington.edu/

That link lead to a University of Washington research project site that measures
Internet path performance. Based on their website they have been doing this since 2006.
They are employing IP options in their echo request packets which many folks may
noticed in their IPS/IDS logs.

Echo requests with timestamp option allow you to do things like:
"Measuring link attributes: Existing techniques for
measuring loss rate, bandwidth capacity and available
bandwidth are employed in a scalable and efficient manner to
characterize the properties of all inter-cluster links in the
measured topology."

If your interested in jitter for example a few pings with TS allows for fairly simple jitter computation.
If you see some of ICMP 8:0 with ip opts that includes TimeStamp you might want to capture some packets and look inside to see if it came from this research project.

TimeStamp replies are considered dangerous as they might be used to defeat time based authentication protocols.
http://www.nessus.org/plugins/index.php?view=single&id=10114

Keywords:
4 comment(s)
Diary Archives