Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

ICMP Parameter Problem packets to random addresses

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Tue, 19 Jun 2001 12:21:41 +1200 (NZST)
Greetings All
                Periodically, over the last few months, I have been
seeing bursts of ICMP Parameter Problem (type 12, code 0) like those
below that were picked up by snort today:

Jun 19 10:01:34 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.186.122
Jun 19 10:02:50 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.14.27
Jun 19 10:05:40 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.74.94
Jun 19 10:07:38 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.96.37
Jun 19 10:08:58 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.132.107
Jun 19 10:11:26 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.164.3
Jun 19 10:22:24 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.138.66
Jun 19 10:23:08 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.140.43
Jun 19 10:23:52 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.145.97
Jun 19 10:32:34 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.114.1
Jun 19 10:50:47 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.187.73
Jun 19 11:01:19 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.194.11
Jun 19 11:14:26 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.62.75
Jun 19 11:16:22 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.211.108
Jun 19 11:25:06 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.232.56
Jun 19 11:26:42 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.178.94
Jun 19 11:43:36 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.194.12
Jun 19 11:44:24 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.234.34
Jun 19 11:52:17 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.119.15
Jun 19 11:54:53 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.162.31
Jun 19 11:59:44 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.78.101
Jun 19 12:01:27 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.130.7

The destination addresses appear to be random addresses in our /16
address space.  The burst last for varying lengths of time (anything
from a few hours to a few days).

I have been assuming that this traffic is a fall out from a DoS
lauched against 194.42.253.254 (or some host behind it if it is a
router).  One thing that might cause this is ICMP packets that set
random values to type and code fields in a flood attack.  I seem to
remember that one of the common DoS Tools does just that.

Any other thoughts?

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand
Previous By Date Next
Previous By Thread Next

Current thread: