Security Incidents mailing list archives
ICMP Parameter Problem packets to random addresses
From: Russell Fulton <r.fulton () auckland ac nz>
Date: Tue, 19 Jun 2001 12:21:41 +1200 (NZST)
Greetings All Periodically, over the last few months, I have been seeing bursts of ICMP Parameter Problem (type 12, code 0) like those below that were picked up by snort today: Jun 19 10:01:34 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.186.122 Jun 19 10:02:50 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.14.27 Jun 19 10:05:40 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.74.94 Jun 19 10:07:38 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.96.37 Jun 19 10:08:58 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.132.107 Jun 19 10:11:26 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.164.3 Jun 19 10:22:24 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.138.66 Jun 19 10:23:08 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.140.43 Jun 19 10:23:52 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.145.97 Jun 19 10:32:34 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.114.1 Jun 19 10:50:47 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.187.73 Jun 19 11:01:19 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.194.11 Jun 19 11:14:26 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.62.75 Jun 19 11:16:22 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.211.108 Jun 19 11:25:06 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.232.56 Jun 19 11:26:42 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.178.94 Jun 19 11:43:36 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.194.12 Jun 19 11:44:24 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.234.34 Jun 19 11:52:17 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.119.15 Jun 19 11:54:53 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.162.31 Jun 19 11:59:44 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.78.101 Jun 19 12:01:27 takahe snort[64968]: PING-ICMP Parameter Problem: 194.42.253.254 -> 130.216.130.7 The destination addresses appear to be random addresses in our /16 address space. The burst last for varying lengths of time (anything from a few hours to a few days). I have been assuming that this traffic is a fall out from a DoS lauched against 194.42.253.254 (or some host behind it if it is a router). One thing that might cause this is ICMP packets that set random values to type and code fields in a flood attack. I seem to remember that one of the common DoS Tools does just that. Any other thoughts? Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
Current thread:
- ICMP Parameter Problem packets to random addresses Russell Fulton (Jun 18)
- RE: ICMP Parameter Problem packets to random addresses Fernando Cardoso (Jun 19)
- RE: ICMP Parameter Problem packets to random addresses Ofir Arkin (Jun 19)
- Re: RE: ICMP Parameter Problem packets to random addresses Russell Fulton (Jun 19)
- Re: ICMP Parameter Problem packets to random addresses Jeff Kell (Jun 19)
- Re: ICMP Parameter Problem packets to random addresses Tim Winders (Jun 20)