Security Incidents mailing list archives
Re: Sparse ICMP/ACK Scans to Broadcast Addresses
From: spb () MESHUGGENEH NET (Stephen P. Berry)
Date: Mon, 8 May 2000 00:04:58 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 lamont () icopyright com writes:
On Fri, 5 May 2000, Stephen P. Berry wrote:
Over the past couple days, I've noticed an odd traffic pattern which I haven't observed previously. The pattern consists of two flavours of traffic: -An ICMP_ECHO_REQUEST -An ACK
That's an ACK ping, to detect machines that packet filter ICMP. NMAP is one scanner that will do these kinds of scans.
Yes. That's why I said I suspected it was a reconnaissance scan. The interesting thing isn't that this is an ICMP and ACK scan, it's that it is: -Low volume -Only to broadcast addresses (apparently always x.y.z.255 and then x.y.z.127 -Apparently originates on different networks[0] -Is directed at different networks (i.e., it isn't just a patient scan of a single hunk of address space) In other words, the pattern I was asking if anyone else was seeing appears to be a distinct flavour of ICMP/ACK scan---different enough from the other sorts of scanning activity I routinely observe to be noteworthy. - -Steve - ----- 0 And presumably a reconnaissance scan isn't going to use spoofed source addresses with this kind of volume. So that suggests that either it's a tool that multiple people are using, or one person (or group) has a number of machines on different networks from which they are conducting this scan (or these scans). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5FmcDG3kIaxeRZl8RAtjKAJ9wjj0IEpXYFR5Srt8l0lQ7F9+vbwCeP4ET wRz0Ih8kD7Ylh7JvUuAybpk= =LoD8 -----END PGP SIGNATURE-----
Current thread:
- Sparse ICMP/ACK Scans to Broadcast Addresses Stephen P. Berry (May 05)
- Re: Sparse ICMP/ACK Scans to Broadcast Addresses Granquist, Lamont (May 07)
- Re: Sparse ICMP/ACK Scans to Broadcast Addresses Stephen P. Berry (May 08)
- Re: Sparse ICMP/ACK Scans to Broadcast Addresses Granquist, Lamont (May 07)