2

The aforementioned packets

The capture file if needed

There is supposed to be abnormal behaviour here, and I see that there is. But I can't figure out what it is.

There is no response from the ICMP requests. Furthermore some packets have the warning:

[Expert Info (Warning/Protocol): Source MAC must not be a group address: IEEE 802.3-2002, Section 3.2.3(b)] [Source MAC must not be a group address: IEEE 802.3-2002, Section 3.2.3(b)] [Severity level: Warning] [Group: Protocol]

I was thinking it might be a Ping flood attack, but shouldn't there also be a reply/response from the destination address for this to be the case? The host might already be overwhelmed thus making it unable to respond to the ICMP requests, but that isn't shown in the capture file.

The packet length is 60, so it doesn't match it being a Ping of Death attack either.

Any help is greatly appreciated!

symto
  • 21
  • 1
  • 2
  • Coud you give some infos on your topology? Where are you located when you run `tcpdump`? Which port? What look you `tcpdump` command like – F. Hauri - Give Up GitHub Oct 09 '19 at 14:22
  • just as a heads up the reason why OP hasn't posted any tcp dumps is because this is for a networking assessment and all that they were given was this pcapng file and told to come up with reasons why a ping request was not making it to a mail server. – UniStudent Oct 17 '19 at 04:31
  • @UniStudent Correct. I wanted to ask to get clarifications on whether or not the sequential numbers and warnings were a part of the generation of the .pcapng file for the scenario or as a part of the troubleshooting process. – symto Oct 18 '19 at 05:52

3 Answers3

2

There is two things suspicious on the pcap file: 1. as Steffen mention the sequence number looks like is from the same machine, probably the generation of the packets is on a for loop 2. In general, the ICMP requests contains the alphabet in order to reply with the same, and in the pcap file is all set to zero.

Could be a a botnet behavior or somebody playing with packets on the internet and his program is not ready to work as expected.

camp0
  • 2,172
  • 1
  • 10
  • 10
1

It is definitely unusual to have ICMP echo requests which are clearly sequential (look at the LE sequence number) but come from different IP addresses. This suggests that there is some central source for these ICMP echo which sends each of the packets via a different IP address (botnet?).

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
1

In addition, to Steffen Ullrich's answer:

  • I'm surprised to see so many public IP trying to reach one*** precise private IP via same router ** (the one from where come the dump shown)...

    ** If your dump was done on a router. I your localhost, see further.

    *** If your dump is not filtered...

  • Your router seem block incoming connection from Internet to local net. That's ok.

    (no response found!)

  • IPs seem located aprox everywhere, but mostly in US:

    2 BE, 1 CA, 1 CH, 2 CN, 1 CO, 1 IT, 1 JP and 9 US

    So yes, it could be a botnet, but as there is very small amount of zombies (only 20...). Or some US based society with external agencies.

  • All packet seem very close as same ttl and All packets present MAC address wich could not be routed on Internet!! TCPDump could print something like:

     In ethertype IPv4 (0x0800)

    All this MAC Address seem random, no one match official MAC Address.

    Maybe is someone playing with Ethernet packets... Maybe somewhere in your local net!?

F. Hauri - Give Up GitHub
  • 4,597
  • 2
  • 19
  • 32
  • To be more clear the destination host is supposed to be a mail server. The scenario is that Brittany sent Amanda an e-mail, but Amanda never received it. The goal is to find the abnormal behaviour that lead to this interrupted service. – symto Oct 09 '19 at 08:31
  • What's your `tcpdump` command look like? Where, in your topology, are you dump this? Which port on which router? – F. Hauri - Give Up GitHub Oct 09 '19 at 14:21