Security Incidents mailing list archives

IDS246 Large ICMP Packet

From: Andre Kajita - Administrador da Rede <admin () CAMARASJC SP GOV BR>
Date: Thu, 16 Nov 2000 14:15:55 -0200

Greets,

I've finally got around to making a parser for my firewall's snort log
and I've picked up one very intresting (and disturbing) event:

[**] IDS246 - MISC - Large ICMP Packet [**]
11/13-12:53:37.296852 32.96.212.11 -> 200.210.111.132
ICMP TTL:247 TOS:0x0 ID:10257  DF
ID:48282   Seq:61662  ECHO

There are over 62 of these alerts in a week's logfile, all of them
with the same ID and Seq (not to mention they are all from the same
origin, 32.96.212.11).

I've had these type of alerts for the past few weeks and didn't give
any importance to them until today when I read that a ICMP packets can
be used to admin a box (in *nix you'd say "root a box", in NT I guess
it's "admin a box") on a Brazilian Portuguese Windows NT 4.0 (SP5).

Is anyone else being hit by this machine?  I ran an NMAP on it and
it's apparently some kind of proxy but these ICMP warnings are really
annoying me!

Thanks,
Andre Kajita.
--
Andre Kajita - Administrador da Rede <admin () camarasjc sp gov br>
Camara Municipal de Sao Jose dos Campos - SP
http://www.camarasjc.sp.gov.br

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

IDS246 Large ICMP Packet Andre Kajita - Administrador da Rede (Nov 17)
- Re: IDS246 Large ICMP Packet Jan Muenther (Nov 18)
- Re: IDS246 Large ICMP Packet Valdis Kletnieks (Nov 18)
- <Possible follow-ups>
- Re: IDS246 Large ICMP Packet Bevan, Graham (Nov 18)