Re: odd ICMP Traffic - TSR scan

[Joe Matusiewicz <joem () NIST GOV>]

At 05:47 PM 3/14/01, Russell Fulton wrote:
> Yesterday we detected a series of ICMP TimeStamp Request to
> appearently random addresses in our network.  Some address
> were probed more than once (up to 4 times). About 120 addresses
> were probed over 10 minutes, no other traffic seen from that source
> address.  Most of the addresses probed were inactive.
>
> I have written to sidinet.com and their ISP asking for an
> explaination. So far I have had standard acknowledgement of receipt
> from the ISP.
>
> Anyone got any idea what this was in aid of?


I'll take a swag at it.  It could be network mapping by using TSRs instead
of pings.  TSRs also include the sender's timestamp, the time the
destination received the packet, and the time the destination host returned
the packet.  I've heard it's possible to compute the round trip time this
way although it's said to not be very accurate.  I'm not sure why they
would try to do this (some new server load balancing scheme?).  That's my
best guess...although I could be way off base.


-- Joe