icmp scans

[Neil Ratzlaff <Neil.Ratzlaff () ucop edu>]

I have been seeing an increase in icmp scans of our address space.  This
week it is type 11,  type 12, and various type 3's.  The most egregious
part is that many of these packets are being sent to IP addresses that do
not exist.  I have also seen type 0, type 4, and type 8.  One of the type 3
scans was concurrent with an IMAP scan (same subnet, same time) at Stanford
-- I awarded them 1 point for imagination.

1.  Is this trend just my site or are others seeing it as well?
2.  Even if these packets made it through the firewall, I don't know what
it could get them other than confirmation of an existing machine.  Does
anyone know anything else they could do?

I am also seeing small groups of high port connection attempts from widely
varying sources over brief periods of time.  Reminds me of the Navy
reports, but I don't have time to do lengthy analysis.

Is there anything I should do other than add this type of thing to my
mental map of expected activity?

Thanks,
Neil