Security Incidents mailing list archives
Re: Spoofed ICMP
From: bejtlich () ALTAVISTA NET (Richard Bejtlich)
Date: Sun, 28 May 2000 03:19:11 -0000
Hi Ken, This is a very interesting case, possibly relating to the ICMP time exceeded error messages previously seen at www.sans.org and here. Based on the packet your provided, an unknown third party might be (SYN?) flooding 333.333.33.333, which doesn't seem to exist, spoofing 222.222.222.2 as the source, which belongs to you. This is based on the data portion of the ICMP packet you displayed. The source 111.111.11.111 would be a router upstream from the intended victim, trying to send the spoofed SYN packet to 333.333.33.333, which is unreachable due to non-existence. This may be a sign of an unsuccessful DoS attempt against 333.333.33.333. Richard Bejtlich --- In the past week I've seen at least 3 identical ICMP DOS attacks (?) involving 3 different ISPs. I'm not sure if they're attempted attacks, and if so, against my network or the ISP's. ... My questions: Is this a DOS? Against our network? Against the ISP? If it isn't a DOS, what's the point? Is the address 333.333.33.333 in the snoop capture also spoofed or could it possibly indicate the actual source? Thanks Ken
Current thread:
- Spoofed ICMP "destination unreachable" - DOS? Ken Eichman (May 22)
- Microsoft version.binding us now? Bill Marquette (May 26)
- New DoS attack Jeff Calvert (May 28)
- Re: Microsoft version.binding us now? Erich Meier (May 29)
- Re: Spoofed ICMP Richard Bejtlich (May 27)
- Re: Spoofed ICMP "destination unreachable" - DOS? Steve Reid (May 27)
- <Possible follow-ups>
- Re: Spoofed ICMP "destination unreachable" - DOS? Aussie (May 24)
- ICMP attack in progress? Lic. Rodolfo Gonzalez Gonzalez (May 25)
- Re: ICMP attack in progress? Crist J. Clark (May 25)
- Re: ICMP attack in progress? Jason Storm (May 26)
- afs3 exploit?? elijah wright (May 25)
- Strange Happenings @Home Fred Hirsch (May 30)
- AMDROCKS Jim Williams (May 25)
- Attacks on port 25 Vincent Lim (May 25)
- Re: Attacks on port 25 Ryan Russell (May 26)
- ICMP attack in progress? Lic. Rodolfo Gonzalez Gonzalez (May 25)
- Microsoft version.binding us now? Bill Marquette (May 26)