Security Incidents mailing list archives
Re: ICMP Type:8 Code:137
From: Valdis.Kletnieks () vt edu
Date: Fri, 28 Oct 2005 19:56:58 -0400
On Fri, 28 Oct 2005 21:18:27 +0200, "Allan Kjeldbjerg (Acom Internet ApS)" said:
Hi _mutiger_jh, Yes I have notice the increase of the same packets. They could be spoofed but the one I currently notice originate from China and is distributed via ISP's in New York. Concurrently with these packets we expirence non terminating TCP connections on our Windows platform. - Could there be a connection between the two? Anyone noticed the same pattern?
Out of curiosity, are these fragged packets? I'm wondering if the first frag is getting lost and something's misinterpreting a 2nd or following frag - remember that the *real* TCP/UPD/ICMP header is only in the first frag. So if your monitoring tool looks at a subsequent frag, it could be minsinterpreting the payload as header (similar to the tool that misinterpreted an ICMP as UDP and got a port number instead of a ICMP type/code).
Attachment:
_bin
Description:
Current thread:
- ICMP Type:8 Code:137 mutiger_jh (Oct 27)
- Re: ICMP Type:8 Code:137 Justin (Oct 28)
- Re: ICMP Type:8 Code:137 Allan Kjeldbjerg (Acom Internet ApS) (Oct 28)
- Re: ICMP Type:8 Code:137 Valdis . Kletnieks (Oct 31)
- Re: ICMP Type:8 Code:137 Allan Kjeldbjerg (Acom Internet ApS) (Oct 28)
- <Possible follow-ups>
- Re: Re: ICMP Type:8 Code:137 mutiger_jh (Oct 28)
- Re: ICMP Type:8 Code:137 Justin (Oct 28)