Security Incidents mailing list archives

spoofed ICMP 3/1's - what is the tool or goal here?

From: Glenn Forbes Fleming Larratt <glratt () IO COM>
Date: Fri, 5 Jan 2001 23:22:48 -0600
We're seeing increasing numbers of the traffic represented below - a
large amount of ICMP 3/1's, spoofed as being from a router port in a
major tier 1 or 2, all across our network.

I'm particularly curious about the groups of 119. "my.net" below is, of
course, our class B, which is subnetted at 8 bits; in every instance where
119 (sometimes 118) packets are sent at once, the target is on an
unallocated subnet, to which traceroutes would !X out - but not all
unallocated subnets generate the large slew of packets.

Has anyone else seen this? Is this a threat? Any info gratefully received.

        -g

--
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-)
glratt () io com                        http://www.io.com/~glratt
There are imaginary bugs to chase in heaven.

---------- Forwarded message ----------
Jan  5 01:04:46 icmp BAD.GUY.NET.NODE -> my.net.76.19 (3/1), 119 packets
Jan  5 01:05:00 icmp BAD.GUY.NET.NODE -> my.net.92.8 (3/1), 1 packet
Jan  5 01:05:09 icmp BAD.GUY.NET.NODE -> my.net.185.13 (3/1), 1 packet
Jan  5 01:05:11 icmp BAD.GUY.NET.NODE -> my.net.150.55 (3/1), 1 packet
Jan  5 01:05:21 icmp BAD.GUY.NET.NODE -> my.net.82.13 (3/1), 1 packet
Jan  5 01:05:33 icmp BAD.GUY.NET.NODE -> my.net.229.60 (3/1), 1 packet
Jan  5 01:06:00 icmp BAD.GUY.NET.NODE -> my.net.37.20 (3/1), 1 packet
Jan  5 01:06:02 icmp BAD.GUY.NET.NODE -> my.net.149.87 (3/1), 1 packet
Jan  5 01:06:19 icmp BAD.GUY.NET.NODE -> my.net.148.93 (3/1), 1 packet
Jan  5 01:06:27 icmp BAD.GUY.NET.NODE -> my.net.110.125 (3/1), 1 packet
Jan  5 01:06:33 icmp BAD.GUY.NET.NODE -> my.net.122.92 (3/1), 1 packet
Jan  5 01:06:36 icmp BAD.GUY.NET.NODE -> my.net.152.51 (3/1), 1 packet
Jan  5 01:07:34 icmp BAD.GUY.NET.NODE -> my.net.207.94 (3/1), 1 packet
Jan  5 01:07:50 icmp BAD.GUY.NET.NODE -> my.net.136.125 (3/1), 119 packets
Jan  5 01:07:54 icmp BAD.GUY.NET.NODE -> my.net.248.14 (3/1), 1 packet
Jan  5 01:07:56 icmp BAD.GUY.NET.NODE -> my.net.246.107 (3/1), 1 packet
Jan  5 01:08:01 icmp BAD.GUY.NET.NODE -> my.net.11.85 (3/1), 119 packets
Jan  5 01:08:07 icmp BAD.GUY.NET.NODE -> my.net.79.4 (3/1), 119 packets
Jan  5 01:08:15 icmp BAD.GUY.NET.NODE -> my.net.133.39 (3/1), 1 packet
Jan  5 01:08:32 icmp BAD.GUY.NET.NODE -> my.net.202.96 (3/1), 1 packet
Jan  5 01:08:36 icmp BAD.GUY.NET.NODE -> my.net.139.109 (3/1), 119 packets
Jan  5 01:08:38 icmp BAD.GUY.NET.NODE -> my.net.184.46 (3/1), 119 packets
Jan  5 01:08:47 icmp BAD.GUY.NET.NODE -> my.net.92.49 (3/1), 1 packet
Jan  5 01:09:10 icmp BAD.GUY.NET.NODE -> my.net.95.104 (3/1), 1 packet
Jan  5 01:09:19 icmp BAD.GUY.NET.NODE -> my.net.163.31 (3/1), 1 packet
Jan  5 01:09:34 icmp BAD.GUY.NET.NODE -> my.net.77.70 (3/1), 1 packet
Jan  5 01:09:38 icmp BAD.GUY.NET.NODE -> my.net.89.103 (3/1), 1 packet
Jan  5 01:09:42 icmp BAD.GUY.NET.NODE -> my.net.233.85 (3/1), 119 packets
Jan  5 01:09:43 icmp BAD.GUY.NET.NODE -> my.net.214.121 (3/1), 119 packets
Jan  5 01:09:54 icmp BAD.GUY.NET.NODE -> my.net.23.41 (3/1), 1 packet
Jan  5 01:09:55 icmp BAD.GUY.NET.NODE -> my.net.206.88 (3/1), 119 packets
Jan  5 01:10:03 icmp BAD.GUY.NET.NODE -> my.net.58.102 (3/1), 119 packets
Jan  5 01:10:18 icmp BAD.GUY.NET.NODE -> my.net.236.115 (3/1), 119 packets
Jan  5 01:10:30 icmp BAD.GUY.NET.NODE -> my.net.95.10 (3/1), 1 packet
Jan  5 01:10:35 icmp BAD.GUY.NET.NODE -> my.net.180.37 (3/1), 1 packet
Jan  5 01:10:59 icmp BAD.GUY.NET.NODE -> my.net.36.13 (3/1), 1 packet
Jan  5 01:11:01 icmp BAD.GUY.NET.NODE -> my.net.160.109 (3/1), 1 packet
Jan  5 01:11:10 icmp BAD.GUY.NET.NODE -> my.net.38.22 (3/1), 1 packet
Jan  5 01:11:21 icmp BAD.GUY.NET.NODE -> my.net.17.90 (3/1), 1 packet
Jan  5 01:11:33 icmp BAD.GUY.NET.NODE -> my.net.243.19 (3/1), 1 packet
Jan  5 01:11:39 icmp BAD.GUY.NET.NODE -> my.net.209.71 (3/1), 119 packets
Jan  5 01:11:41 icmp BAD.GUY.NET.NODE -> my.net.60.96 (3/1), 1 packet
Jan  5 01:11:43 icmp BAD.GUY.NET.NODE -> my.net.56.99 (3/1), 1 packet
Jan  5 01:11:44 icmp BAD.GUY.NET.NODE -> my.net.189.48 (3/1), 1 packet
Jan  5 01:11:49 icmp BAD.GUY.NET.NODE -> my.net.53.47 (3/1), 1 packet
Jan  5 01:12:01 icmp BAD.GUY.NET.NODE -> my.net.123.52 (3/1), 1 packet
Jan  5 01:12:21 icmp BAD.GUY.NET.NODE -> my.net.247.86 (3/1), 1 packet
Jan  5 01:12:50 icmp BAD.GUY.NET.NODE -> my.net.45.93 (3/1), 1 packet
Jan  5 01:12:58 icmp BAD.GUY.NET.NODE -> my.net.63.121 (3/1), 119 packets
Jan  5 01:13:10 icmp BAD.GUY.NET.NODE -> my.net.165.83 (3/1), 1 packet
Jan  5 01:13:21 icmp BAD.GUY.NET.NODE -> my.net.12.105 (3/1), 1 packet
Jan  5 01:13:29 icmp BAD.GUY.NET.NODE -> my.net.work.41 (3/1), 1 packet
Jan  5 01:13:32 icmp BAD.GUY.NET.NODE -> my.net.76.27 (3/1), 119 packets
Jan  5 01:13:34 icmp BAD.GUY.NET.NODE -> my.net.69.74 (3/1), 1 packet
Jan  5 01:13:39 icmp BAD.GUY.NET.NODE -> my.net.93.106 (3/1), 1 packet
Jan  5 01:13:40 icmp BAD.GUY.NET.NODE -> my.net.209.45 (3/1), 119 packets
Jan  5 01:13:44 icmp BAD.GUY.NET.NODE -> my.net.127.32 (3/1), 1 packet
Jan  5 01:13:50 icmp BAD.GUY.NET.NODE -> my.net.0.39 (3/1), 1 packet
Jan  5 01:14:08 icmp BAD.GUY.NET.NODE -> my.net.121.51 (3/1), 1 packet
Jan  5 01:14:21 icmp BAD.GUY.NET.NODE -> my.net.113.42 (3/1), 1 packet
Jan  5 01:14:28 icmp BAD.GUY.NET.NODE -> my.net.7.18 (3/1), 1 packet
Jan  5 01:14:38 icmp BAD.GUY.NET.NODE -> my.net.197.59 (3/1), 119 packets
Jan  5 01:14:41 icmp BAD.GUY.NET.NODE -> my.net.63.20 (3/1), 1 packet
Jan  5 01:14:45 icmp BAD.GUY.NET.NODE -> my.net.244.58 (3/1), 119 packets
Jan  5 01:14:47 icmp BAD.GUY.NET.NODE -> my.net.143.28 (3/1), 1 packet
Jan  5 01:14:55 icmp BAD.GUY.NET.NODE -> my.net.35.52 (3/1), 1 packet
Jan  5 01:14:58 icmp BAD.GUY.NET.NODE -> my.net.89.103 (3/1), 119 packets
Jan  5 08:08:01 icmp BAD.GUY.NET.NODE -> my.net.218.77 (3/1), 1 packet
Jan  5 08:08:19 icmp BAD.GUY.NET.NODE -> my.net.115.121 (3/1), 1 packet
Jan  5 08:08:25 icmp BAD.GUY.NET.NODE -> my.net.230.30 (3/1), 1 packet
Jan  5 08:08:38 icmp BAD.GUY.NET.NODE -> my.net.27.1 (3/1), 1 packet
Jan  5 08:08:39 icmp BAD.GUY.NET.NODE -> my.net.2.55 (3/1), 1 packet
Jan  5 08:08:47 icmp BAD.GUY.NET.NODE -> my.net.73.74 (3/1), 1 packet
Jan  5 08:09:08 icmp BAD.GUY.NET.NODE -> my.net.110.114 (3/1), 1 packet
Jan  5 08:09:39 icmp BAD.GUY.NET.NODE -> my.net.107.79 (3/1), 1 packet
Jan  5 08:09:40 icmp BAD.GUY.NET.NODE -> my.net.69.4 (3/1), 119 packets
Jan  5 08:09:45 icmp BAD.GUY.NET.NODE -> my.net.80.95 (3/1), 119 packets
Jan  5 08:09:49 icmp BAD.GUY.NET.NODE -> my.net.0.71 (3/1), 1 packet
Jan  5 08:09:53 icmp BAD.GUY.NET.NODE -> my.net.242.54 (3/1), 119 packets
Jan  5 08:09:54 icmp BAD.GUY.NET.NODE -> my.net.157.0 (3/1), 1 packet
Jan  5 08:09:55 icmp BAD.GUY.NET.NODE -> my.net.1.127 (3/1), 1 packet
Jan  5 08:09:58 icmp BAD.GUY.NET.NODE -> my.net.0.11 (3/1), 1 packet
Jan  5 08:10:38 icmp BAD.GUY.NET.NODE -> my.net.88.102 (3/1), 119 packets
Jan  5 08:10:41 icmp BAD.GUY.NET.NODE -> my.net.240.94 (3/1), 1 packet
Jan  5 08:10:50 icmp BAD.GUY.NET.NODE -> my.net.13.17 (3/1), 1 packet
Jan  5 08:11:01 icmp BAD.GUY.NET.NODE -> my.net.95.124 (3/1), 119 packets
Jan  5 08:11:10 icmp BAD.GUY.NET.NODE -> my.net.171.125 (3/1), 119 packets
Jan  5 08:11:11 icmp BAD.GUY.NET.NODE -> my.net.242.116 (3/1), 119 packets
Jan  5 08:11:31 icmp BAD.GUY.NET.NODE -> my.net.37.113 (3/1), 1 packet
Jan  5 08:11:32 icmp BAD.GUY.NET.NODE -> my.net.135.40 (3/1), 1 packet
Jan  5 08:11:33 icmp BAD.GUY.NET.NODE -> my.net.23.13 (3/1), 1 packet
Jan  5 08:11:42 icmp BAD.GUY.NET.NODE -> my.net.111.38 (3/1), 119 packets
Jan  5 08:12:04 icmp BAD.GUY.NET.NODE -> my.net.58.106 (3/1), 1 packet
Jan  5 08:12:07 icmp BAD.GUY.NET.NODE -> my.net.226.66 (3/1), 1 packet
Jan  5 08:12:40 icmp BAD.GUY.NET.NODE -> my.net.45.65 (3/1), 1 packet
Jan  5 08:12:41 icmp BAD.GUY.NET.NODE -> my.net.173.41 (3/1), 1 packet
Jan  5 08:12:51 icmp BAD.GUY.NET.NODE -> my.net.20.91 (3/1), 1 packet
Jan  5 08:12:59 icmp BAD.GUY.NET.NODE -> my.net.151.76 (3/1), 1 packet
Jan  5 08:13:01 icmp BAD.GUY.NET.NODE -> my.net.218.2 (3/1), 1 packet
Jan  5 08:13:10 icmp BAD.GUY.NET.NODE -> my.net.254.40 (3/1), 119 packets
Jan  5 08:13:33 icmp BAD.GUY.NET.NODE -> my.net.83.113 (3/1), 1 packet
Jan  5 08:13:44 icmp BAD.GUY.NET.NODE -> my.net.243.10 (3/1), 1 packet
Jan  5 08:13:46 icmp BAD.GUY.NET.NODE -> my.net.95.68 (3/1), 119 packets
Jan  5 08:13:48 icmp BAD.GUY.NET.NODE -> my.net.205.87 (3/1), 119 packets
Jan  5 08:13:55 icmp BAD.GUY.NET.NODE -> my.net.73.30 (3/1), 1 packet
Jan  5 08:14:00 icmp BAD.GUY.NET.NODE -> my.net.212.60 (3/1), 119 packets
Jan  5 08:14:10 icmp BAD.GUY.NET.NODE -> my.net.52.75 (3/1), 1 packet
Jan  5 08:14:12 icmp BAD.GUY.NET.NODE -> my.net.28.89 (3/1), 119 packets
Jan  5 08:14:20 icmp BAD.GUY.NET.NODE -> my.net.144.45 (3/1), 119 packets
Jan  5 08:14:37 icmp BAD.GUY.NET.NODE -> my.net.34.123 (3/1), 1 packet
Jan  5 08:14:48 icmp BAD.GUY.NET.NODE -> my.net.118.61 (3/1), 119 packets
Jan  5 08:14:53 icmp BAD.GUY.NET.NODE -> my.net.202.40 (3/1), 1 packet
Jan  5 08:14:55 icmp BAD.GUY.NET.NODE -> my.net.93.16 (3/1), 119 packets
Jan  5 08:15:10 icmp BAD.GUY.NET.NODE -> my.net.220.86 (3/1), 1 packet
Jan  5 08:15:14 icmp BAD.GUY.NET.NODE -> my.net.249.34 (3/1), 1 packet
Jan  5 08:15:37 icmp BAD.GUY.NET.NODE -> my.net.89.50 (3/1), 1 packet
Jan  5 08:15:43 icmp BAD.GUY.NET.NODE -> my.net.197.74 (3/1), 119 packets
Jan  5 08:15:45 icmp BAD.GUY.NET.NODE -> my.net.183.72 (3/1), 1 packet
Jan  5 08:15:47 icmp BAD.GUY.NET.NODE -> my.net.46.50 (3/1), 1 packet
Jan  5 08:15:51 icmp BAD.GUY.NET.NODE -> my.net.213.43 (3/1), 119 packets
Jan  5 08:15:53 icmp BAD.GUY.NET.NODE -> my.net.121.77 (3/1), 1 packet
Jan  5 08:57:51 icmp BAD.GUY.NET.NODE -> my.net.196.57 (3/1), 119 packets
Jan  5 08:58:29 icmp BAD.GUY.NET.NODE -> my.net.80.6 (3/1), 119 packets
Jan  5 08:58:36 icmp BAD.GUY.NET.NODE -> my.net.117.11 (3/1), 1 packet
Jan  5 08:58:50 icmp BAD.GUY.NET.NODE -> my.net.71.61 (3/1), 1 packet
Jan  5 08:59:43 icmp BAD.GUY.NET.NODE -> my.net.127.71 (3/1), 119 packets
Jan  5 08:59:45 icmp BAD.GUY.NET.NODE -> my.net.190.47 (3/1), 1 packet
Jan  5 08:59:52 icmp BAD.GUY.NET.NODE -> my.net.240.80 (3/1), 119 packets
Jan  5 09:00:08 icmp BAD.GUY.NET.NODE -> my.net.136.120 (3/1), 119 packets
Jan  5 09:00:22 icmp BAD.GUY.NET.NODE -> my.net.242.77 (3/1), 119 packets
Jan  5 09:01:11 icmp BAD.GUY.NET.NODE -> my.net.92.70 (3/1), 1 packet
Jan  5 09:01:12 icmp BAD.GUY.NET.NODE -> my.net.188.116 (3/1), 1 packet
Jan  5 09:01:35 icmp BAD.GUY.NET.NODE -> my.net.11.108 (3/1), 1 packet
Jan  5 09:01:55 icmp BAD.GUY.NET.NODE -> my.net.76.4 (3/1), 1 packet
Jan  5 09:01:56 icmp BAD.GUY.NET.NODE -> my.net.151.126 (3/1), 119 packets
Jan  5 09:02:19 icmp BAD.GUY.NET.NODE -> my.net.118.123 (3/1), 1 packet
Jan  5 09:02:26 icmp BAD.GUY.NET.NODE -> my.net.50.87 (3/1), 1 packet
Jan  5 09:02:27 icmp BAD.GUY.NET.NODE -> my.net.68.8 (3/1), 1 packet
Jan  5 09:02:33 icmp BAD.GUY.NET.NODE -> my.net.71.126 (3/1), 1 packet
Jan  5 09:02:34 icmp BAD.GUY.NET.NODE -> my.net.52.112 (3/1), 1 packet
Jan  5 09:02:50 icmp BAD.GUY.NET.NODE -> my.net.67.2 (3/1), 1 packet
Jan  5 09:03:14 icmp BAD.GUY.NET.NODE -> my.net.55.92 (3/1), 1 packet
Jan  5 09:03:29 icmp BAD.GUY.NET.NODE -> my.net.7.101 (3/1), 1 packet
Jan  5 09:03:53 icmp BAD.GUY.NET.NODE -> my.net.119.24 (3/1), 1 packet
Jan  5 09:04:01 icmp BAD.GUY.NET.NODE -> my.net.75.120 (3/1), 1 packet
Jan  5 09:04:02 icmp BAD.GUY.NET.NODE -> my.net.230.24 (3/1), 1 packet
Jan  5 09:04:14 icmp BAD.GUY.NET.NODE -> my.net.60.103 (3/1), 1 packet
Jan  5 09:04:40 icmp BAD.GUY.NET.NODE -> my.net.0.110 (3/1), 1 packet
Jan  5 09:04:42 icmp BAD.GUY.NET.NODE -> my.net.12.117 (3/1), 1 packet
Current thread:

spoofed ICMP 3/1's - what is the tool or goal here? Glenn Forbes Fleming Larratt (Jan 06)
- <Possible follow-ups>
- Re: spoofed ICMP 3/1's - what is the tool or goal here? slim bones (Jan 15)