Icmp 8 ?

1. ## Icmp 8 ?

I have been getting tons (10-20/minute) of ICMP 8 packets from all different Ips but all from the range owned by my ISP. I am curious as to why this is happening? and should i be replying to pings? This isn't normal is it ? The destination is also my ip only about half the time ,the other half are to the ip i get if i plug in a different nic (i think ,i can't confirm right now). Here is an ethereal capture of a couple.
0000 00 80 c6 f6 9b 1d 00 e0 0c c5 99 c6 08 00 45 00 ........ ......E.
0010 00 5c 01 ae 00 00 7d 01 fa 0f 44 91 1d 4c 44 93 .\....}. ..D..LD.
0020 9b 73 08 00 aa 22 02 00 f6 87 aa aa aa aa aa aa .s...".. ........
0030 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ........ ........
0040 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ........ ........
0050 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ........ ........
0060 aa aa aa aa aa aa aa aa aa aa ........ ..

0000 00 80 c6 f6 9b 1d 00 e0 0c c5 99 c6 08 00 45 00 ........ ......E.
0010 00 5c 43 db 00 00 7d 01 78 7c 44 90 5c b3 44 93 .\C...}. x|D.\.D.
0020 9b 73 08 00 db 88 02 00 c5 21 aa aa aa aa aa aa .s...... .!......
0030 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ........ ........
0040 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ........ ........
0050 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ........ ........
0060 aa aa aa aa aa aa aa aa aa aa ........ ..
AFAIK these are normal packets? I don't run a server or anything this just a single *nix home box on cable.
On another somewhat unrelated note, any ideas why the arp packets i get contain what seems to be a news webpage ? Why are they not just padded with aaa's like pings?

2. I think that these are echo-request icmp requests...is you r machine setup to reply to these requests? If so...are you seeing any incoming requests on port 135 from the same hosts?

The traffic seems typical of a machine infected with one of the msblaster variants....

3. I don't reply to them. I figured that it was something to do with a worm, but what made me think twice is that they are all from my isp's network. I would think that i would be getting them from all over the world as i cannot see my isp blocking pings from everywhere else as they are important are they not ?

4. Like soggybottom said, ICMP mesage type 8 is "echo request"

Your ISP has no reason to block ping packets wether they originate from their network or not.. Just ignore them,, check also to see if source Ip is spoofed,,best thing you can do is capture trace and report to you ISP....Also out of curiosity,,what are the size of packets.?

cheers

5. The packets are always 106 bytes. Which is quite normal if my recent googling has taught me anything. From what i have found SoggyBottoms worm idea is right. I still wonder why i don't see these packets from all over the world though ?

6. Your ISP may be filtering incoming echo request packets from the world...that may explain it.

7. Thanx for your opinions and help , i will ask my isp if they are filtering . I don't expect much of a reply though i have been a real bitch to them about there service and inability to make their website render and work with anything other than IE. So they tend to ignore me now.

#### Posting Permissions

• You may not post new threads
• You may not post replies
• You may not post attachments
• You may not edit your posts
•