Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: traceroute ICMP packets

From: larry_canup () RAC RAY COM (Larry Canup)
Date: Tue, 18 Jan 2000 17:07:01 -0000

We see this a lot.  It concerned me greatly, at first.

What is likely happening is that you are having latency scans being done on behalf of sites that you have visited. The 
site was part of a large ISP or organization that has multiple points of entry to the Internet.  To tune their 
networks, they do network latency tests.    Director products such as 3DNS will basically determine that someone from 
your address space has visited.  From then on, they perform latency test periodlically to determine the best route back 
to you.

If it concerns you, you can trace them down and ask them to exclude you from the latency tests.  Some cooperate....  
Some don't.

LarryC





Greetings.  Recently I have noticed a great deal of activity similar to this as well from a number of sources.  Here's 
some snips from my PIX log.  Anyone have ideas what they may be trying accomplish?  (Identify routers?)  What makes me 
nervous is that they somehow found the address to my internal interface and this is where they are focusing their 
efforts.

Jan  3 03:12:57 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 216.52.58.2/39933 to xxx.xxx.x.x/33474
Jan  3 03:12:59 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 140.239.162.2/40168 to xxx.xxx.x.x/33469
Jan  3 03:13:02 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 216.52.58.2/39933 to xxx.xxx.x.x/33475
Jan  3 03:13:04 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 140.239.162.2/40168 to xxx.xxx.x.x/33470
Jan  3 03:13:07 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 216.52.58.2/39933 to xxx.xxx.x.x/33476
Jan  3 03:13:09 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 140.239.162.2/40168 to xxx.xxx.x.x/33471

Here's some of the addresses constantly banging away at us.

198.170.164.3, 206.86.106.3, 212.36.169.97, 193.173.76.2, 195.54.95.3, 168.143.224.18, 195.8.99.162, 194.133.52.3, 
212.23.226.3, 212.121.130.40, 193.127.46.2, 193.65.199.3, 203.79.87.3 - and there's plenty more where that came from if 
anyone is interested.

Again - if anyone has any insight as to what may be going on please let me know.  Thank you all for your time.

-Matthew

Hello,

My Linux box has recently logged some traceroute ICMP packets. Of course,
I did not traceroute these hosts. (Packets from hosts between my
computer and the source IPs are missing as well.)

Do you have any idea what this can be?

Here are the (ipchains) logs:
(x.y.u.v is the IP address of myhost)

Jan  3 15:29:54 myhost kernel: Packet log: input ACCEPT eth0 PROTO=1
        167.216.136.2:11 x.y.u.v:0 L=56 S=0xC0 I=21545 F=0x0000 T=247
Jan  3 15:30:07 myhost kernel: Packet log: input ACCEPT eth0 PROTO=1
        212.59.199.41:11 x.y.u.v:0 L=56 S=0x00 I=3106 F=0x0000 T=237
Jan  3 15:30:16 myhost kernel: Packet log: input ACCEPT eth0 PROTO=1
        212.59.199.41:11 x.y.u.v:0 L=56 S=0x00 I=3124 F=0x0000 T=237
Jan  3 15:30:23 myhost kernel: Packet log: input ACCEPT eth0 PROTO=1
        167.216.136.2:11 x.y.u.v:0 L=56 S=0xC0 I=21986 F=0x0000 T=247
... (more packets from these hosts with similar delays between them)

Laszlo
Previous By Date Next
Previous By Thread Next

Current thread: