Security Incidents mailing list archives
Re: ICMP_TIME_EXCEEDED to network address?
From: "Juergen P. Meier" <jpm () class de>
Date: Thu, 25 Jan 2001 08:16:59 +0100
On Wed, Jan 24, 2001 at 05:41:04PM +0100, Ralf G. R. Bergs wrote:
On Wed, 24 Jan 2001 16:59:41 +0100, Ulrich Eckhardt wrote:But they arrive too slow for a DoS attack.Maybe it's some sort of a scan, too? I'm not a TCP/IP guru, so please forgive me if I'm talking nonsense, but I *think* some hosts additionally reply to packets sent to the network address (i.e. to aaa.bbb.ccc.0 instead of aaa.bbb.ccc.ddd with ddd != 0 and ddd != 255) (much the same as to packets sent to the broadcast address which would probably be more appropriate to address several hosts at once.) So in this case they might reply to the "Time exceeded" message (with what?) and thus indicate there's a machine running that particular IP? Just guessing, Ralf
Please read the RFC 1519 (available at http://www.ietf.org/rfc/rfc1519.txt) and understand that xxx.xxx.xxx.0 is _NOT_ nessecarily a network address. It could as well be a hostaddress (of a router). Try to traceroute it and see how many hops you get to this address, if its near 64 then its absolutly normal. regards, Juergen -- Juergen P. Meier email: jpm () class de
Current thread:
- ICMP_TIME_EXCEEDED to network address? Ralf G. R. Bergs (Jan 24)
- Re: ICMP_TIME_EXCEEDED to network address? Ulrich Eckhardt (Jan 24)
- Re: ICMP_TIME_EXCEEDED to network address? Ralf G. R. Bergs (Jan 24)
- Re: ICMP_TIME_EXCEEDED to network address? Juergen P. Meier (Jan 25)
- Re: ICMP_TIME_EXCEEDED to network address? Ralf G. R. Bergs (Jan 24)
- Re: ICMP_TIME_EXCEEDED to network address? E, M (Jan 24)
- <Possible follow-ups>
- Re: ICMP_TIME_EXCEEDED to network address? Curt Freeland (Jan 25)
- Re: ICMP_TIME_EXCEEDED to network address? Ralf G. R. Bergs (Jan 25)
- Re: ICMP_TIME_EXCEEDED to network address? Bill Royds (Jan 25)
- Re: ICMP_TIME_EXCEEDED to network address? Ulrich Eckhardt (Jan 24)