Security Incidents mailing list archives
Re: ICMP time exceed in-transit packets
From: Tim.White () CI AUSTIN TX US (White, Tim)
Date: Fri, 31 Dec 1999 18:35:06 -0600
I am getting these destined for networks behind my firewall (application gateway), which does not pass ANY ICMP, in or out. They are also destined for 24 bit network addresses (i.e. 172.16.12.0). What is really odd about these is that they are slowly covering my entire class B at early morning hours. They are sourced from about 20 routers covering a broad area. I reviewed my IDS logs on my internet connection, and no stimulus exists (i.e. no outbound traceroute). I find this one a bit odd.
-----Original Message----- From: Rob Quinn [SMTP:rquinn () SEC SPRINT NET] Sent: Thursday, December 30, 1999 12:31 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: ICMP time exceed in-transit packets22:32:06.344676 210.207.190.33 > sanitized.84.0: icmp: time exceededin-transit You get these back from tracerouting, or when a packet takes too many hops, usually due to a routing loop. 210.207.190.33 is a cisco. An older version of some popular software (Nuke Nabber?) identifies these packets as an attack, causing us to receive tons of semi-automated compliants about or backbone routers. -- | Opinions are _mine_, facts Rob Quinn | | are facts. (703)689-6582 | | rquinn () sec sprint net | | Sprint Corporate Security |
Current thread:
- Re: ICMP time exceed in-transit packets White, Tim (Dec 31)
- Re: ICMP time exceed in-transit packets Chris Brenton (Jan 01)
- Re: ICMP time exceed in-transit packets Alain Thivillon (Jan 01)
- Re: ICMP time exceed in-transit packets Christopher Wilson (Jan 02)
- port 119 Dariusz Zmokly (Jan 03)
- Re: port 119 Robert Graham (Jan 03)
- Re: port 119 Thomas Molina (Jan 04)
- Re: port 119 Vince Vielhaber (Jan 05)
- Re: ICMP time exceed in-transit packets Alain Thivillon (Jan 01)
- Ports 25092 / 20869 Vanja Hrustic (Jan 04)
- Re: Ports 25092 / 20869 Robert Graham (Jan 04)
- port 1150 and 4833 ? Kim R. Rasmussen (Jan 04)
- Re: ICMP time exceed in-transit packets Chris Brenton (Jan 01)