Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 10 Aug 2012 16:47:31 +0200
From:      "Christoph P.U. Kukulies" <kuku@kukulies.org>
To:        freebsd-hackers@freebsd.org
Subject:   strange things happening with ping - am I hacked?
Message-ID:  <50251F03.4050400@kukulies.org>
next in thread | raw e-mail | index | archive | help 
I have some machines in a companys' network that are interconnected
with a piece of coaxial cable (ethernet 10base2). This trunk goes through a
switch that acts also as a media converter and connects to the Internet 
router.

For a while now I'm having trouble with this 10base2 trunk and I dropped 
in another FreeBSD
machine to move the services I'm running to the newer (9.0) machine.
At the moment the two FreeBSD boxes (one 9.0, the other 5.1) are on the net.
Both have a DIVERT kernel and act as gateways between the in house 
network and the Internet (natd).

Now strange things happen:
When I ping from the 9.0 machine to another machine (a Windows XP) in 
the network,
I don't get an immediate response from the ping but after some, day 20s 
or so I get:

(I prefer to not use the real addresses in the source or destination)
forum2# ping 80.90.34.226
forum2# tcpdump -i ed0 -l ip proto ICMP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ed0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:15:06.748522 IP 80.90.34.228 > 129.82.138.44: ICMP echo reply, id 
50777, seq 49408, length 8

or:

16:15:06.748522 IP 80.90.34.228 > 129.82.138.44: ICMP echo reply, id 
50777, seq 49408, length 8
16:17:01.920480 IP 80.90.34.228 > 203.178.148.19: ICMP echo reply, id 
9061, seq 48393, length 8
^C
2 packets captured
473 packets received by filter
0 packets dropped by kernel

Doing the same ping from the 5.1 box (pretty sure it hasn't got to do 
with the OS versions),
gives an echo reply immediately from the target address I pinged.

So why does there come an echo reply from machines on the net which seem 
to exist and
even have names like pinger-j2.ant.isi.edu or pinger6.netsec.colostate.edu?

Does there some packet redirection take place?

--
Christoph Kukulies

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50251F03.4050400>