Spoofed ICMP "destination unreachable" - DOS?

[keichman () CAS ORG (Ken Eichman)]

In the past week I've seen at least 3 identical ICMP DOS attacks (?)
involving 3 different ISPs. I'm not sure if they're attempted attacks,
and if so, against my network or the ISP's.

In each incident, random and mostly unassigned IP addresses in our address
range are the listed recipients of ICMP type 3 (destination unreachable)
packets. The listed source address of the traffic has always been a router
at an ISP. We receive these packets for hours at a time at rates varying
from a few dozen to hundreds per minute. Not particularly DOS-like --
"rather mild" as one of the ISP network people put it.

Each ISP tells me the source address is spoofed. Here is a typical response:

  "Hello and thank you for notifying xxxxxxx.  Unfortunately, we are
  currently under attack at our IP address 1.2.3.4. The attacker is
  sending spoofed destination address packets. These packets are bouncing
  off of our Router at 1.2.3.4, type 3, 'unreachable', to your address
  as the destination address. We have heard from approximately 50 others
  regarding this same incident."

Here's a representative snoop of one of the packets - everything is
actual info except for the addresses. 111.111.11.11 is the ISP's router,
assumedly spoofed, and 222.222.222.2 is a local address.

ETHER:  ----- Ether Header -----
ETHER:
ETHER:  Packet 1 arrived at 23:00:6.18
ETHER:  Packet size = 70 bytes
ETHER:  Ethertype = 0800 (IP)
ETHER:
IP:   ----- IP Header -----
IP:
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:   Total length = 56 bytes
IP:   Identification = 0
IP:   Flags = 0x0
IP:         .0.. .... = may fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 251 seconds/hops
IP:   Protocol = 1 (ICMP)
IP:   Header checksum = 9ab2
IP:   Source address = 111.111.11.111, 111.111.11.111
IP:   Destination address = 222.222.222.2, 222.222.222.2
IP:   No options
IP:
ICMP:  ----- ICMP Header -----
ICMP:
ICMP:  Type = 3 (Destination unreachable)
ICMP:  Code = 1 (Bad host)
ICMP:  Checksum = ceee
ICMP:
ICMP:  [ subject header follows ]
ICMP:
ICMP:IP:   ----- IP Header -----
ICMP:IP:
ICMP:IP:   Version = 4
ICMP:IP:   Header length = 20 bytes
ICMP:IP:   Type of service = 0x00
ICMP:IP:         xxx. .... = 0 (precedence)
ICMP:IP:         ...0 .... = normal delay
ICMP:IP:         .... 0... = normal throughput
ICMP:IP:         .... .0.. = normal reliability
ICMP:IP:   Total length = 40 bytes
ICMP:IP:   Identification = 4014
ICMP:IP:   Flags = 0x0
ICMP:IP:         .0.. .... = may fragment
ICMP:IP:         ..0. .... = last fragment
ICMP:IP:   Fragment offset = 0 bytes
ICMP:IP:   Time to live = 26 seconds/hops
ICMP:IP:   Protocol = 6 (TCP)
ICMP:IP:   Header checksum = 3aef
ICMP:IP:   Source address = 222.222.222.2, 222.222.222.2
ICMP:IP:   Destination address = 333.333.33.333, 333.333.33.333
ICMP:IP:   No options
ICMP:IP:
IP:

My questions: Is this a DOS? Against our network? Against the ISP? If it
isn't a DOS, what's the point? Is the address 333.333.33.333 in the snoop
capture also spoofed or could it possibly indicate the actual source?

Thanks
Ken

ps. Two of the ISPs are well-known, one was involved in a recent
security incident; demon.net isn't one of them.