LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
Reload this Page [SOLVED] Weird ping and ping replies from google....
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 01-10-2011, 07:32 AM   #1
corp769
LQ Guru
 
Registered: Apr 2005
Location: /dev/null
Posts: 5,818

Rep: Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007
Question Weird ping and ping replies from google....

Woke up this morning, and noticed this on my snort log:

Code:
01/10-02:40:01.134740  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.147
01/10-02:40:01.134740  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.147
01/10-02:40:01.158133  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 72.14.204.147 -> 192.168.1.93
01/10-03:00:01.165371  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.99
01/10-03:00:01.165371  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.99
01/10-03:00:01.195549  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 72.14.204.99 -> 192.168.1.93
01/10-03:30:01.649273  [**] [1:254:8] DNS SPOOF query response with TTL of 1 min. and no authority [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.1.1:53 -> 192.168.1.93:52355
01/10-03:40:01.558799  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.103
01/10-03:40:01.558799  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.103
01/10-03:40:01.580171  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 72.14.204.103 -> 192.168.1.93
01/10-04:00:01.598586  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.147
01/10-04:00:01.598586  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.147
01/10-04:00:01.618159  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 72.14.204.147 -> 192.168.1.93
01/10-04:30:01.751074  [**] [1:254:8] DNS SPOOF query response with TTL of 1 min. and no authority [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.1.1:53 -> 192.168.1.93:48739
01/10-04:40:01.710521  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.103
01/10-04:40:01.710521  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.103
01/10-04:40:01.733354  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 72.14.204.103 -> 192.168.1.93
01/10-05:00:01.990355  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.104
01/10-05:00:01.990355  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.104
01/10-05:00:02.009411  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 72.14.204.104 -> 192.168.1.93
01/10-05:30:01.624738  [**] [1:254:8] DNS SPOOF query response with TTL of 1 min. and no authority [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.1.1:53 -> 192.168.1.93:60029
01/10-05:40:01.528183  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.99
01/10-05:40:01.528183  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.99
01/10-05:40:01.553644  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 72.14.204.99 -> 192.168.1.93
01/10-06:00:01.815023  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.103
01/10-06:00:01.815023  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.103
01/10-06:00:01.842012  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 72.14.204.103 -> 192.168.1.93
01/10-06:30:02.202950  [**] [1:254:8] DNS SPOOF query response with TTL of 1 min. and no authority [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.1.1:53 -> 192.168.1.93:51519
01/10-06:40:01.118694  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.147
01/10-06:40:01.118694  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.147
01/10-06:40:01.138599  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 72.14.204.147 -> 192.168.1.93
01/10-07:00:01.969456  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.147
01/10-07:00:01.969456  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.147
01/10-07:00:01.992475  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 72.14.204.147 -> 192.168.1.93
01/10-07:10:54.801073  [**] [129:5:1] Bad segment, adjusted size <= 0 [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.1.93:37592 -> 72.14.204.19:443
01/10-07:30:01.800999  [**] [1:254:8] DNS SPOOF query response with TTL of 1 min. and no authority [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.1.1:53 -> 192.168.1.93:48761
01/10-07:40:01.692999  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.103
01/10-07:40:01.692999  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.103
01/10-07:40:01.715607  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 72.14.204.103 -> 192.168.1.93
01/10-08:00:01.936271  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.103
01/10-08:00:01.936271  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.103
01/10-08:00:01.958371  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 72.14.204.103 -> 192.168.1.93
01/10-08:17:38.308569  [**] [129:16:1] FIN number is greater than prior FIN [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 193.28.235.40:80 -> 192.168.1.93:40013
01/10-08:20:11.595172  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.147
01/10-08:20:11.595172  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.147
01/10-08:20:11.615827  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 72.14.204.147 -> 192.168.1.93
01/10-08:20:12.596534  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.147
01/10-08:20:12.596534  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.147
01/10-08:20:12.616478  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 72.14.204.147 -> 192.168.1.93
01/10-08:20:43.431954  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.147
01/10-08:20:43.431954  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.147
01/10-08:20:43.455986  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 72.14.204.147 -> 192.168.1.93
01/10-08:20:44.433707  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.147
01/10-08:20:44.433707  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.1.93 -> 72.14.204.147
01/10-08:20:44.456289  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 72.14.204.147 -> 192.168.1.93
It traces back to google's server (iad04s01-in-f147.1e100.net).... Has anybody else ever gotten anything like this? What's weird is that it happened every 30 minutes or so, on the dot, and I'm behind my NAT enabled router.....

Edit - Mods, move it.... my bad, wrong area.
Last edited by corp769; 01-10-2011 at 07:34 AM.
 
Old 01-11-2011, 05:54 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
Haven't seen it - I'd look for something running on 192.168.1.93, maybe it's a keep-alive method ... ?

See if you can capture one of the packets that are triggering the "DNS spoof" message, it may indicate what the app is connecting to
Last edited by kbp; 01-11-2011 at 05:58 PM.
 
Old 01-13-2011, 11:37 AM   #3
corp769
LQ Guru
 
Registered: Apr 2005
Location: /dev/null
Posts: 5,818

Original Poster
Rep: Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007
Negative, 192.168.1.93 is my laptop. I have my system really locked down and it wasn't nothing like that. But for now, I haven't seen it happen since. Thanks man.
 
Old 03-07-2011, 04:02 PM   #4
srainsdon
LQ Newbie
 
Registered: Mar 2011
Posts: 5

Rep: Reputation: 1
Just got the same thing:
1 8.8.8.8 DNS SPOOF query response with TTL of 1 min. and no authority
no clue why but just figured i would say something
 
Old 03-07-2011, 04:27 PM   #5
corp769
LQ Guru
 
Registered: Apr 2005
Location: /dev/null
Posts: 5,818

Original Poster
Rep: Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007
Quote:
Originally Posted by srainsdon View Post
Just got the same thing:
1 8.8.8.8 DNS SPOOF query response with TTL of 1 min. and no authority
no clue why but just figured i would say something
Way to dig up my thread... LOL

Is 8.8.8.8 a real IP on your end? Did you trace it and come up with a hostname?
 
Old 03-07-2011, 07:15 PM   #6
srainsdon
LQ Newbie
 
Registered: Mar 2011
Posts: 5

Rep: Reputation: 1
yes i did sorry its google-public-dns-a.google.com also is my pri DNS record.
 
Old 03-07-2011, 07:43 PM   #7
corp769
LQ Guru
 
Registered: Apr 2005
Location: /dev/null
Posts: 5,818

Original Poster
Rep: Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007Reputation: 1007
Then there you go
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
can ping network computer, cannot ping google.com (help needed) ben_build#2.1.0 Linux - Wireless Networking 23 11-07-2010 12:55 PM
large ping replies...why ??? anakin Linux - Networking 13 11-13-2006 09:41 AM
how do I deactivate ping replies ? tom_from_van Linux - Security 9 07-19-2005 03:07 PM
No ping replies on 127.0.0.1 zzero Linux - Networking 14 03-15-2004 10:17 AM
I can ping google.com successfully,but ping client(in my intranet) failed.Why? whepin Linux - Newbie 4 12-30-2001 04:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 12:06 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration