Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Spoofed ICMP

From: bejtlich () ALTAVISTA NET (Richard Bejtlich)
Date: Sun, 28 May 2000 03:19:11 -0000

Hi Ken,

This is a very interesting case, possibly relating to the 
ICMP time exceeded error messages previously seen at 
www.sans.org and here.

Based on the packet your provided, an unknown third party 
might be (SYN?) flooding 333.333.33.333, which doesn't seem 
to exist, spoofing 222.222.222.2 as the source, which 
belongs to you.  This is based on the data portion of the 
ICMP packet you displayed.  The source 111.111.11.111 would 
be a router upstream from the intended victim, trying to 
send the spoofed SYN packet to 333.333.33.333, which is 
unreachable due to non-existence.  This may be a sign of an 
unsuccessful DoS attempt against 333.333.33.333.

Richard Bejtlich

---

In the past week I've seen at least 3 identical ICMP DOS 
attacks (?) involving 3 different ISPs. I'm not sure if 
they're attempted attacks, and if so, against my network or 
the ISP's.

...

My questions: Is this a DOS? Against our network? Against 
the ISP? If it isn't a DOS, what's the point? Is the 
address 333.333.33.333 in the snoop capture also spoofed or 
could it possibly indicate the actual source?

Thanks
Ken
Previous By Date Next
Previous By Thread Next

Current thread: