Firewall Wizards mailing list archives
Re: icmp scans
From: Adam Shostack <adam () homeport org>
Date: Wed, 11 Nov 1998 09:22:03 -0500
A fellow named Anthony Osborne published a paper in AUUG'98 on fingerprinting systems by their response to ICMP packets. (Various systems return more or less of packet, and I think he found other things.) This may be whats happening to you. I don't have a copy of the paper, if someone has an URL, I'd appriciate it. Adam On Tue, Nov 10, 1998 at 10:54:19AM -0800, Neil Ratzlaff wrote: | I have been seeing an increase in icmp scans of our address space. This | week it is type 11, type 12, and various type 3's. The most egregious | part is that many of these packets are being sent to IP addresses that do | not exist. I have also seen type 0, type 4, and type 8. One of the type 3 | scans was concurrent with an IMAP scan (same subnet, same time) at Stanford | -- I awarded them 1 point for imagination. | | 1. Is this trend just my site or are others seeing it as well? | 2. Even if these packets made it through the firewall, I don't know what | it could get them other than confirmation of an existing machine. Does | anyone know anything else they could do? | | I am also seeing small groups of high port connection attempts from widely | varying sources over brief periods of time. Reminds me of the Navy | reports, but I don't have time to do lengthy analysis. | | Is there anything I should do other than add this type of thing to my | mental map of expected activity? | | Thanks, | Neil -- "It is seldom that liberty of any kind is lost all at once." -Hume
Current thread:
- icmp scans Neil Ratzlaff (Nov 10)
- Re: icmp scans Adam Shostack (Nov 11)
- <Possible follow-ups>
- RE: icmp scans Acosta, Bob (Nov 11)