Security Incidents mailing list archives

Re: traceroute ICMP packets

From: lurker () ITIS COM (M J)
Date: Tue, 4 Jan 2000 19:25:42 -0000


Greetings.  Recently I have noticed a great deal of activity similar to this as well from a number of sources.  Here's 
some snips from my PIX log.  Anyone have ideas what they may be trying accomplish?  (Identify routers?)  What makes me 
nervous is that they somehow found the address to my internal interface and this is where they are focusing their 
efforts.

Jan  3 03:12:57 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 216.52.58.2/39933 to xxx.xxx.x.x/33474
Jan  3 03:12:59 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 140.239.162.2/40168 to xxx.xxx.x.x/33469
Jan  3 03:13:02 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 216.52.58.2/39933 to xxx.xxx.x.x/33475
Jan  3 03:13:04 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 140.239.162.2/40168 to xxx.xxx.x.x/33470
Jan  3 03:13:07 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 216.52.58.2/39933 to xxx.xxx.x.x/33476
Jan  3 03:13:09 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 140.239.162.2/40168 to xxx.xxx.x.x/33471

Here's some of the addresses constantly banging away at us.

198.170.164.3, 206.86.106.3, 212.36.169.97, 193.173.76.2, 195.54.95.3, 168.143.224.18, 195.8.99.162, 194.133.52.3, 
212.23.226.3, 212.121.130.40, 193.127.46.2, 193.65.199.3, 203.79.87.3 - and there's plenty more where that came from if 
anyone is interested.

Again - if anyone has any insight as to what may be going on please let me know.  Thank you all for your time.

-Matthew

Hello,

My Linux box has recently logged some traceroute ICMP packets. Of course,
I did not traceroute these hosts. (Packets from hosts between my
computer and the source IPs are missing as well.)

Do you have any idea what this can be?

Here are the (ipchains) logs:
(x.y.u.v is the IP address of myhost)

Jan  3 15:29:54 myhost kernel: Packet log: input ACCEPT eth0 PROTO=1
        167.216.136.2:11 x.y.u.v:0 L=56 S=0xC0 I=21545 F=0x0000 T=247
Jan  3 15:30:07 myhost kernel: Packet log: input ACCEPT eth0 PROTO=1
        212.59.199.41:11 x.y.u.v:0 L=56 S=0x00 I=3106 F=0x0000 T=237
Jan  3 15:30:16 myhost kernel: Packet log: input ACCEPT eth0 PROTO=1
        212.59.199.41:11 x.y.u.v:0 L=56 S=0x00 I=3124 F=0x0000 T=237
Jan  3 15:30:23 myhost kernel: Packet log: input ACCEPT eth0 PROTO=1
        167.216.136.2:11 x.y.u.v:0 L=56 S=0xC0 I=21986 F=0x0000 T=247
... (more packets from these hosts with similar delays between them)

Laszlo

Current thread:

Ports 25092 / 20869, (continued)
- - - Ports 25092 / 20869 Vanja Hrustic (Jan 04)
    - Re: Ports 25092 / 20869 Robert Graham (Jan 04)
    - port 1150 and 4833 ? Kim R. Rasmussen (Jan 04)
    - Re: port 1150 and 4833 ? Frameloss, Frameloss (Jan 10)
    - Re: port 119 R a v e N (Jan 05)
    - Re: port 119 Scott Laws (Jan 04)
    - Writeup: it. TLD going astray Arrigo Triulzi (Jan 03)
    - Computer Forsenics System Administrator (Jan 03)
    - Re: Computer Forsenics-> www.fish.com/forensics mike (Jan 03)
    - traceroute ICMP packets Laszlo Fabian (Jan 04)
    - Re: traceroute ICMP packets M J (Jan 04)
    - Re: traceroute ICMP packets Larry Canup (Jan 18)
  - Re: ICMP time exceed in-transit packets Dave Dittrich (Jan 01)
    - Re: ICMP time exceed in-transit packets Paul Cardon (Jan 02)
  - Y2K bug in Shadow IDS Patrick Oonk (Jan 02)
  - Port Scan on 371... M. Edward Wilborne III (Jan 02)
    - Re: Port Scan on 371... Etaoin Shrdlu (Jan 02)
    - Re: Port Scan on 371... Christopher Wilson (Jan 02)
    - correlation between porscans and local activity Thomas Molina (Jan 02)
    - Re: correlation between porscans and local activity Sean Sosik-Hamor (Jan 03)
    - ADMROCKS McNab, Chris (Jan 03)

(Thread continues...)