Security Incidents mailing list archives

ICMP Scan

From: "tim logan" <seclists () getemail net>
Date: Tue, 23 Mar 2004 10:03:39 -0600

I saw this traffic last night on an IDS system inside a firewall.  Can 
somebody shed some light on it?  It looks to me like the purpose is to 
determine the number of hops to the host in question.  If it is, what 
would be the purpose?

(Internal IP address changed to 1.2.3.4)

19:05:40.869387 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 109, id 23236, len 112)
19:05:40.869668 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 108, id 23236, len 112)
19:05:40.869984 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 107, id 23236, len 112)
19:05:40.870222 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 106, id 23236, len 112)
19:05:40.870509 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 105, id 23236, len 112)

<<<< many packets removed for brevity's sake >>>>

19:05:40.895191 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 6, id 23236, len 112)
19:05:40.895477 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 5, id 23236, len 112)
19:05:40.895686 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 4, id 23236, len 112)
19:05:40.895973 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 3, id 23236, len 112)
19:05:40.896181 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 2, id 23236, len 112)
19:05:40.896473 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag [ttl 1] (id 23236, len 112)


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------

Current thread:

ICMP Scan tim logan (Mar 23)
- Re: ICMP Scan Bill Weiss (Mar 23)
- RE: ICMP Scan David Gillett (Mar 23)
- Re: ICMP Scan Chris Brenton (Mar 23)