Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP time exceed in-transit packets

From: Tim.White () CI AUSTIN TX US (White, Tim)
Date: Fri, 31 Dec 1999 18:35:06 -0600

I am getting these destined for networks behind my firewall (application
gateway), which does not pass ANY ICMP, in or out.  They are also destined
for 24 bit network addresses (i.e. 172.16.12.0).  What is really odd about
these is that they are slowly covering my entire class B at early morning
hours.  They are sourced from about 20 routers covering a broad area.

I reviewed my IDS logs on my internet connection, and no stimulus exists
(i.e. no outbound traceroute).

I find this one a bit odd.


-----Original Message-----
From: Rob Quinn [SMTP:rquinn () SEC SPRINT NET]
Sent: Thursday, December 30, 1999 12:31 PM
To:   INCIDENTS () SECURITYFOCUS COM
Subject:      Re: ICMP time exceed in-transit packets


22:32:06.344676 210.207.190.33 > sanitized.84.0: icmp: time exceeded

in-transit

 You get these back from tracerouting, or when a packet takes too many
hops,
usually due to a routing loop. 210.207.190.33 is a cisco.
 An older version of some popular software (Nuke Nabber?) identifies these
packets as an attack, causing us to receive tons of semi-automated
compliants
about or backbone routers.

--
| Opinions are _mine_, facts                                     Rob Quinn
|
| are facts.                                                 (703)689-6582
|
|                                                    rquinn () sec sprint net
|
|                                                Sprint Corporate Security
|
Previous By Date Next
Previous By Thread Next

Current thread: