Firewall Wizards mailing list archives
icmp scans
From: Neil Ratzlaff <Neil.Ratzlaff () ucop edu>
Date: Tue, 10 Nov 1998 10:54:19 -0800
I have been seeing an increase in icmp scans of our address space. This week it is type 11, type 12, and various type 3's. The most egregious part is that many of these packets are being sent to IP addresses that do not exist. I have also seen type 0, type 4, and type 8. One of the type 3 scans was concurrent with an IMAP scan (same subnet, same time) at Stanford -- I awarded them 1 point for imagination. 1. Is this trend just my site or are others seeing it as well? 2. Even if these packets made it through the firewall, I don't know what it could get them other than confirmation of an existing machine. Does anyone know anything else they could do? I am also seeing small groups of high port connection attempts from widely varying sources over brief periods of time. Reminds me of the Navy reports, but I don't have time to do lengthy analysis. Is there anything I should do other than add this type of thing to my mental map of expected activity? Thanks, Neil
Current thread:
- icmp scans Neil Ratzlaff (Nov 10)
- Re: icmp scans Adam Shostack (Nov 11)
- <Possible follow-ups>
- RE: icmp scans Acosta, Bob (Nov 11)