Re: ICMP Type:8 Code:137

["Allan Kjeldbjerg (Acom Internet ApS)" <allan () acom-net dk>]

Hi _mutiger_jh,

Yes I have notice the increase of the same packets. They could be spoofed 
but the one I currently
notice originate from China and is distributed via ISP's in New York.

Concurrently with these packets we expirence non terminating TCP connections 
on our Windows platform.
- Could there be a connection between the two? Anyone noticed the same 
pattern?

/allan

----- Original Message ----- 
From: "Justin" <justinvinn () gmail com>
To: <mutiger_jh () yahoo com>
Cc: <incidents () securityfocus com>
Sent: Friday, October 28, 2005 8:11 PM
Subject: Re: ICMP Type:8 Code:137


> Mutiger_jh,
>
> It could indeed be a recon technique (the traceroute makes me think
> that even more). Custom ICMP programs are not that difficult to make,
> so maybe somebody is using your system(s) as a testing ground?
>
> This also reminds me of xprobe2. Doesn't that send ICMP like what you
> described? Are these targetd in sweeps across your netrange, or is it
> just against one specific host.
>
> Hope some of that helped...
>
> peace,
> --Justin
>
> On 28 Oct 2005 03:12:09 -0000, mutiger_jh () yahoo com
> <mutiger_jh () yahoo com> wrote:
> > We have been seeing a good number of ICMP - echo requests coming in 
> > bursts having a code of 137 in the last couple of days.  The burst do not 
> > last long but are sometimes preceeded by a traceroute.  No other traffice 
> > follows from the source hosts.  There is no payload in the packets.  My 
> > research into what or why this is happening has turned up nothing.
> >
> > Has any one heard of any attacks or recon using this code?