Re: icmp scans

[Adam Shostack <adam () homeport org>]

A fellow named Anthony Osborne published a paper in AUUG'98 on
fingerprinting systems by their response to ICMP packets.  (Various
systems return more or less of packet, and I think he found other
things.)  This may be whats happening to you.  I don't have a copy of
the paper, if someone has an URL, I'd appriciate it.

Adam


On Tue, Nov 10, 1998 at 10:54:19AM -0800, Neil Ratzlaff wrote:
| I have been seeing an increase in icmp scans of our address space.  This
| week it is type 11,  type 12, and various type 3's.  The most egregious
| part is that many of these packets are being sent to IP addresses that do
| not exist.  I have also seen type 0, type 4, and type 8.  One of the type 3
| scans was concurrent with an IMAP scan (same subnet, same time) at Stanford
| -- I awarded them 1 point for imagination.
| 
| 1.  Is this trend just my site or are others seeing it as well?
| 2.  Even if these packets made it through the firewall, I don't know what
| it could get them other than confirmation of an existing machine.  Does
| anyone know anything else they could do?
| 
| I am also seeing small groups of high port connection attempts from widely
| varying sources over brief periods of time.  Reminds me of the Navy
| reports, but I don't have time to do lengthy analysis.
| 
| Is there anything I should do other than add this type of thing to my
| mental map of expected activity?
| 
| Thanks,
| Neil

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume