Beige Macintosh G3/333 minitower on Cable Modem Pings Mystery IP Until TCP/IP Stack Dies

0 views
Skip to first unread message

Just Wondering

unread,
Mar 21, 2001, 8:01:23 PM3/21/01
to
Beige Macintosh G3/333 minitower on Cable Modem Pings Mystery IP Until
TCP/IP Stack Dies, (And a net search reveals some HP/Windows users with
identical problems!)

Almost from the first day that ATT/MediaOne installed my Road Runner
service my beige G3 running OS 9.0.4 was unable to connect to the net
from around 8:20AM til mid-afternoon PST. Eventually, getting no useful
help from MediaOne I rolled up my sleeves and decided to investigate
myself.. This revealed that my machine was receiving a flood of TCMP
packets back from the MediaOne router telling me that my ping to the
address 207.26.131.137 was failing to echo, and had timed out. This
flood eventually killed the TCP/IP stack, though resetting it will
regain my connectivity until it dies from the flooding all over again
after a few hundred packets. (I am not positive whether I actually *am*
pinging that address, as my sniffer software/ethernet interface
combination is only capable of capturing INCOMING packets.)

As far as I can tell I have no software installed that would ping that
address. I've stripped the system down to a clean installed, from
factory CD, OS 9.1 with OS 9.1 Base plus Networking extensions
installed. Even removed QuickTime. Still the same pings to the mystery
IP. I don't even need to run a network application to have the problem.
It will be there at boot up. I've even used a process manager to kill
all background processes except for the finder and the packet sniffer,
and still the problem persists.

DNS registration enquiries reveal that the IP is one of a range owned by
ans.net, but appears to be currently unused.

A search of the net reveals that Windows users with newer HP machines
have experienced the same exact symptoms, with pings going out to the
EXACT SAME IP address. They have isolated the problem down to a system
extension that accompanies their "MultiMedia Keyboard." Removing the
extension stops the pinging for them.

However I have no such keyboard--no HP peripherals whatsoever. In fact
my set-up is incredibly generic, using standard Apple hardware, no
special drivers needed.

Since software seems to be innocent, could the pings be coming from a
hardware source? The Ethernet chip-set itself on the motherboard? The
cable modem? The MediaOne router singling me out to send bogus ICMP echo
failure packets to? Could some other machine on the net be the source of
the pings, and I am just the unlucky recipient of their bounces?

Just in case this will help someone troubleshoot, my incoming mystery
ICMP packets are all as follows:

Flags: 0x00
Status: 0x00
Packet Length: 74
Timestamp: 08:11:29.545459 03/05/2001
Ethernet Header
Destination: 00:05:02:BD:FD:E7
Source: 00:B0:8E:F6:B8:54
Protocol Type: 0x0800 IP
IP Header - Internet Protocol Datagram
Version: 4
Header Length: 5 (20 bytes)
Precedence: 6
Type of Service: %0000
Unused: %0
Total Length: 56
Identifier: 20498
Fragmentation Flags: %000
Fragment Offset: 0 (0 bytes)
Time To Live: 255
IP Type: 0x01 ICMP
Header Checksum: 0x73B9
Source IP Address: 24.130.99.1 we-24-130-99-1.we.mediaone.net
Dest. IP Address: 24.130.99.XX we-24-130-99-XX.we.mediaone.net
No Internet Datagram Options
ICMP - Internet Control Messages Protocol
ICMP Type: 11 Time Exceeded
Code: 0 Time to Live count exceeded
Checksum: 0xF4FF
Unused (must be zero): 0x00000000
Header of packet that caused error follows.
IP Header - Internet Protocol Datagram
Version: 4
Header Length: 5 (20 bytes)
Precedence: 0
Type of Service: %0000
Unused: %0
Total Length: 28
Identifier: 42779
Fragmentation Flags: %000
Fragment Offset: 0 (0 bytes)
Time To Live: 1
IP Type: 0x01 ICMP
Header Checksum: 0x446C
Source IP Address: 24.130.99.XX we-24-130-99-XX.we.mediaone.net
Dest. IP Address: 207.26.131.137
No Internet Datagram Options
ICMP - Internet Control Messages Protocol
ICMP Type: 8 Echo Request
Code: 0
Checksum: 0xB5F8
Identifier: 0x0400
Sequence Number: 15879
ICMP Data Area: No more data.
Frame Check Sequence: 0x00000000

In the above packet dump, 24.130.99.XX is my own IP address, not so
dynamically assigned by MediaOne via DHCP. (i.e. it has yet to change
since I signed up with them.) Obviously the XX was inserted by me for
this post just so I don't raise my risk any higher!

The real mystery, of course, is what packets am I sending out that are
causing these echo-failure packets to come back? I wish I could monitor
the outgoing traffic too, but I'm pretty sure the beige G3/ 333
mini-tower's motherboard based Ethernet adapter prohibits this. One of
our network admins at work is loaning me a PCI based card that he tells
me should allow me to monitor both directions, so I may find out soon.

Since I've read of so many Hewlett Packard Windows users having this
same problem triggered by their MultiMedia keyboard extensions I'm
actually wondering if one of *them* is the source of my trouble, and
that I'm the unlucky recipient of the return traffic? Is this possible?
Could it be that someone on the same node as me on MediaOne has a
machine that had this software installed, and that for some reason it's
forging *my* IP address as the sender? Maybe even unintentionally, for
example, maybe they had this address at one time , and it has since been
dynamically reassigned to me, but their keyboard extension is still
stamping the pings with the IP address it saw when it was first
installed? I would think this would only be possible if the extension
software is somehow bypassing their system software in its access to the
net?

=== === === === === === === === === === === === === === === === ===

It has been three days since I installed a new, borrowed, Ethernet card
in the machine. This required a new MAC address being called in to
MediaOne, which seems to have triggered their DHCP server to also assign
me a new IP address. (The original IP address had never changed from day
one.) Since then the packet flooding has ceased. This includes two
week-day mornings--prime time for my problem. The evidence so far
suggests that my problem was related to either the Ethernet adapter,
(doubtful,) or the IP address.

My money is on the IP address. I suspect that whoever has now been
assigned my old IP address is now the lucky recipient of all those ICMP
packets. I'm not ready to declare total victory yet. I'll give it a few
more days, but thanks to those who helped me trouble-shoot the
problem--especially John Strung.

The broader question still remains. Why is that address being flooded
so? My suspicion is that the notorious HP multi-media keyboards are
involved somehow.

=== === === === === === === === === === === === === === === === ===

Well, the uninterrupted service lasted for a week. This Monday I had to
return the borrowed Ethernet card. As a result I had to retreat to the
built-in motherboard based Ethernet adapter on my machine. As a result
I am again getting bombarded with ICMP packets, (in the 8:20-2:30 time
window) describing failed pings to 207.26.131.137. So is it the
Ethernet adapter itself that is sending out these pings? I doubt it.
Because along with the change back to my old adapter came a change back
to my old MAC address, of course. And for some crazy reason the
MediaOne DHCP server once again assigned me the SAME OLD IP address.
This cannot be a coincidence! In spite of the supposedly dynamic nature
of my DHCP IP assignment it seems to be in some way based on the MAC
address it is talking to!

Help!

Oh! If you'd like to read of other people--Hewlett Packard owners,
having the same problems with their machines, and I mean EXACTLY THE
SAME PINGING TO THE EXACT SAME IP ADDRESS--go to either of these web
pages:

http://freepages.tech.rootsweb.com/~atguard/20000818-233-001701.html

http://www.securityportal.com/list-archive/firewalls/2001/Jan/0136.html

Yaron Zabary

unread,
Apr 4, 2001, 2:21:54 PM4/4/01
to
Just Wondering wrote:

Probably someone was (is) using your IP address as the (bogus) source
address of an ICMP DoS
attack on the 207.x.x.x address. I would suggest that you will notify
MediaOne's NOC.

-- Yaron.

Reply all
Reply to author
Forward
0 new messages