Network Traffic

[Guins, Shawn \(US - Dallas\)]

Title: Network Traffic

Recently, while sifting through traffic logs, I came across some ICMP traffic coming from an ip address.  What interested me was the fact that many of the packets had the same time stamp, down to the millionth of a second.  Here's a clip of what I received:

IP-152.63.99.170    x.x.x.x     15:14:17.827209 ICMP DUnr      
IP-152.63.99.170    x.x.x.x     15:14:52.837552 ICMP DUnr      
IP-152.63.99.170    x.x.x.x     15:14:52.847566 ICMP DUnr      

IP-152.63.99.170    x.x.x.x     15:19:20.953083 ICMP DUnr      
IP-152.63.99.170    x.x.x.x     15:19:55.963425 ICMP DUnr      
IP-152.63.99.170    x.x.x.x     15:19:55.963425 ICMP DUnr      

IP-152.63.99.170    x.x.x.x     15:24:24.018870 ICMP DUnr      
IP-152.63.99.170    x.x.x.x     15:24:59.029212 ICMP DUnr      
IP-152.63.99.170    x.x.x.x     15:24:59.029212 ICMP DUnr      

IP-152.63.99.170    x.x.x.x     15:29:27.084657 ICMP DUnr      
IP-152.63.99.170    x.x.x.x     15:30:02.095000 ICMP DUnr      
IP-152.63.99.170    x.x.x.x     15:30:02.095000 ICMP DUnr      

IP-152.63.99.170    x.x.x.x     15:34:29.209091 ICMP DUnr      
IP-152.63.99.170    x.x.x.x     15:35:04.219433 ICMP DUnr      
IP-152.63.99.170    x.x.x.x     15:35:04.229448 ICMP DUnr      

IP-152.63.99.170    x.x.x.x     15:39:32.264864 ICMP DUnr      
IP-152.63.99.170    x.x.x.x     15:40:07.285220 ICMP DUnr      
IP-152.63.99.170    x.x.x.x     15:40:07.285220 ICMP DUnr      

IP-152.63.99.170    x.x.x.x     15:44:35.340665 ICMP DUnr      
IP-152.63.99.170    x.x.x.x     15:45:10.361022 ICMP DUnr      
IP-152.63.99.170    x.x.x.x     15:45:10.361022 ICMP DUnr      

IP-152.63.99.170    x.x.x.x     15:49:38.726913 ICMP DUnr      
IP-152.63.99.170    x.x.x.x     15:50:13.757284 ICMP DUnr      
IP-152.63.99.170    x.x.x.x  15:50:13.757284    ICMP DUnr

Now I see these packets as being set in increments of 3's, with a 5min 3sec delay between each set; the first packet with the first of the second set, second with the second, so on..  What I'm wondering is, could this be the sign of 3 instants of an application running on the same box hitting my server?  Or is there another explaination for this?

All the traffic was directed to a single server in my network.  The 5min 3sec delay was constant for about 10 hours.  There were occasions where there were some breaks in the delay and parts where one of the transmitions in the set of 3 dropped off, but then when it started again, it went back to the 5min 3sec delay.  Can anyone comfirm what I've deduce?  Or explain what this could have been?

Thanx!

Shawn T. Guins
Security Admin/Systems Admin
Deloitte & Touche LLP
IAS Technology Center
972-450-0807             972-458-0210 Fax

Suite 500, Two Hillcrest Green
12720 Hillcrest Road
Dallas, TX 75230