Security Incidents mailing list archives

Weird traceroutes

From: don () MAINFRAME DGRC CRC CA (Donald McLachlan)
Date: Wed, 26 Apr 2000 09:33:08 -0400


I've been seeing weird packets with counting TTLs, so they look like
weird traceroutes.  I'm seeing these "traceroutes" from many different source
IP addresses done with many different types of packets.  Here are some
examples.

ICMP timex:  (our old friend ... timex to X.Y.Z.0)

12:41:06.336853 XX.XX.XX.253 > YY.YY.YY.0: icmp: time exceeded in-transit (ttl 117, id 62522)
12:41:06.336968 XX.XX.XX.253 > YY.YY.YY.0: icmp: time exceeded in-transit (ttl 116, id 62522)
15:06:21.790314 XX.XX.XX.253 > YY.YY.YY.0: icmp: time exceeded in-transit [ttl 1] (id 34148)

ICMP unreachables:

01:51:50.142014 XX.XX.XX.249 > YY.YY.YY.41: icmp: host ZZ.ZZ.ZZ.168 unreachable - admin prohibited filter (ttl 246, id 
35632)
01:51:50.142145 XX.XX.XX.249 > YY.YY.YY.41: icmp: host ZZ.ZZ.ZZ.168 unreachable - admin prohibited filter (ttl 245, id 
35632)
01:51:50.142274 XX.XX.XX.249 > YY.YY.YY.41: icmp: host ZZ.ZZ.ZZ.168 unreachable - admin prohibited filter (ttl 244, id 
35632)

ICMP source quench:

02:10:22.187357 XX.XX.XX.1 > YY.YY.YY.95: icmp: source quench (ttl 242, id 638)
02:10:22.187504 XX.XX.XX.1 > YY.YY.YY.95: icmp: source quench (ttl 241, id 638)
02:10:22.187598 XX.XX.XX.1 > YY.YY.YY.95: icmp: source quench (ttl 240, id 638)

TCP syn requests:

00:57:37.702192 XX.XX.XX.56.1779 > YY.YY.YY.62.524: S 471221605:471221605(0) win 8192  (DF) (ttl 113, id 13808)
00:57:37.711427 XX.XX.XX.56.1779 > YY.YY.YY.62.524: S 471221605:471221605(0) win 8192  (DF) [ttl 1] (id 13808)

TCP resets:

00:06:26.491507 XX.XX.XX.130.45160 > YY.YY.YY.84.26021: R 0:0(0) ack 2944713217 win 0 (ttl 219, id 44880)
00:06:26.491583 XX.XX.XX.130.45160 > YY.YY.YY.84.26021: R 0:0(0) ack 1 win 0 (ttl 218, id 44880)
00:06:26.513741 XX.XX.XX.130.45160 > YY.YY.YY.84.26021: R 0:0(0) ack 1 win 0 [ttl 1] (id 44880)

UDP requests to various ports:

00:39:54.985696 XX.XX.XX.248.32768 > YY.YY.YY.4.53: 723+ (37) (DF) [ttl 1] (id 39475)
00:39:54.959031 XX.XX.XX.248.32768 > YY.YY.YY.4.53: 723+ (37) (DF) (ttl 239, id 39475)

00:36:16.718526 XX.XX.XX.162.138 > YY.YY.YY.1.138: udp 174 [ttl 1] (id 40048)
00:54:54.506477 XX.XX.XX.162.138 > YY.YY.YY.1.138: udp 174 (ttl 117, id 61832)

Current thread:

Re: RH6.1/IPChains box hacked Mark Tinberg (Apr 24)
- Re: RH6.1/IPChains box hacked Rory Savage (Apr 24)
- Weird traceroutes Donald McLachlan (Apr 26)
- <Possible follow-ups>
- Re: RH6.1/IPChains box hacked J. J. Horner (Apr 24)