Takes mere seconds to check your relatives' networks.

For the technical folks: `curl -s https://check.labs.greynoise.io/` returns JSON for programmatic checks.

Full details: https://www.greynoise.io/blog/your-ip-address-might-be-someone-elses-problem
2/2

Had to time-shift some Monday $WORK-work to yesterday due to availability constraints of a third-party we work with, so did not get back to this ICMP thing (and actually slept this time). Shld have time today to pick it back up, tho.

Prbly am going to need to write up that fairly blatant UK […]

@Viss oh 100%. all the power companies in the U.S. suck

Oh, it's just Tencent Global CDN Platform - EdgeONE constantly pinging the entire internet.

That kind of worked (writing Bash & SQL for an hour or three in an attempt to go back to bed)!

We'll pick up the pieces later today/tomorrow. I'm also going to have to grab all non-"normal" ICMP across the fleet, since I think this pattern is bigger than the narrow Arkime query I used.

I also […]

Let's rly try to help hrbrmstr go back to sleep by having him write a tediously long SQL query to see if we can possibly identify structure in the payloads: https://ray.so/99w1DqL

What? Doesn't everyone re-implement `file` magic ops in SQL?

So, even more […]

[Original post on mastodon.social]

Some other WTHeck?s

- type 15, 17
- type 0 or 8 with non-zero codes
- type 3 with larger codes

These low-frequency weirdos can be C2 control messages, markers for session start/stop, or “probe” packets to see what the network allows.

Fun!

Let's take a […]

[Original post on mastodon.social]

- type 0 / code 0 with avg ~288, max 1330
- type 8 / code 0 with avg ~460, max 1330
- type 3 / code 2 with avg ~497, max 528
- various “Other” combos with avg payload ~120

Legit pings tend to have small, regular sizes (e.g., 32, 56, or 64 bytes, mebbe a bit more).

Hundreds of bytes per packet […]

First we need to squeeze as much juice from this lemon as possible: https://ray.so/jarK3Fr

The `sed` line is there b/c only monsters use dots in field names in SQL.

Now we'll import that into DuckDB and get some summary info: https://ray.so/sxFyZB8

Hoo boy […]

[Original post on mastodon.social]

This is a good approximation of table schema for the Zeek conn.log: https://ray.so/UK27xKn

We then import the conn.log: https://ray.so/kGazZUF

Now, we need to run some basic stats on the data to find anomalies. We don't care about boring ICMP, and we'll […]

[Original post on mastodon.social]

This turned out to be a Very Good Thing™ since inspecting tens of thousands of packet contents by hand is pretty daft.

So, let's take a data approach to narrow down the search space a bit.

First we'll run Zeek on the PCAP he exported from Arkime:

```
$ zeek -C -r ~/Downloads/all-sessions.pcap […]

When we last left our intrepid solo (w/apologies to Rocky & Bullwinkle for that intro), he discovered what looked like some odd ICMP being slung at some nodes in the GN Global Observation Grid.

As he gets time today, he'll continue updating this thread with various stages of spelunking […]

Expanded the search and am seeing some very specific other types of encapsulation in ICMP, including one that looks like it has an encrypted payload.