Security Incidents mailing list archives

ICMP type 12 packets

From: "Marcus Nelson" <reaper2100 () hotmail com>
Date: Fri, 21 Jun 2002 11:18:50 -0700

I am seeing ICMP type 12 packets being returned to my network from variouslocations across the Internet. The weird thing is that the IPs on our sideare do not seem to be active. I'm wondering if this is some strange sort ofexploit or just a misconfigured device somewhere.

ICMP Type 12 is a parameter problem. If you look at the Options field underICMP, you will see that this appears to be a SNMP packet from our box to192.168.10.2. We are running both registered and RFC 1918 addresses.

We have logged about 1400+ packets since May, when they first appeared.They are destined for 386 unique IPs in our network, across 4 subnets. Thefollowing networks are returning the ICMP packets:


217.128.205.90  France Telecom IP2000 ADSL BAS  wanadoo.fr
216.206.52.1    Outlook Technologies, Inc.
212.13.116.173  Phil Communications, Russia
209.134.172.25  ISS.NET
194.177.33.24   BCN Servicios Telematicos, Spain
193.163.87.30   Nord Data Network, Denmark
172.22.8.2      Internet Assigned Numbers Authority
172.22.2.1      Internet Assigned Numbers Authority
159.76.128.125  San Diego Gas and Electric
80.11.93.160    France Telecom, IP2000-ADSL-BAS, Wanadoo Interactive
205.226.19.193  Ipsilon Networks, Inc

Anyone seen anythign like this before?  Thoughts? Comments?

Thanks,

Marc

Here is the sample ICMP packet:

Internet Protocol, Src Addr: 172.22.2.1 (172.22.2.1), Dst Addr: x.x.x.x(x.x.x.x)

   Version: 4
   Header length: 20 bytes
   Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
       0000 00.. = Differentiated Services Codepoint: Default (0x00)
       .... ..0. = ECN-Capable Transport (ECT): 0
       .... ...0 = ECN-CE: 0
   Total Length: 68
   Identification: 0x7fba
   Flags: 0x00
       .0.. = Don't fragment: Not set
       ..0. = More fragments: Not set
   Fragment offset: 0
   Time to live: 240
   Protocol: ICMP (0x01)
   Header checksum: 0x6639 (correct)
   Source: 172.22.2.1 (172.22.2.1)
   Destination: x.x.x.x (x.x.x.x)
Internet Control Message Protocol
   Type: 12 (Parameter problem)
   Code: 0 (IP header bad)
   Checksum: 0x2fd3 (correct)
   Pointer: 20

Internet Protocol, Src Addr: x.x.x.x (x.x.x.x), Dst Addr: 192.168.10.2(192.168.10.2)

       Version: 4
       Header length: 32 bytes

Differentiated Services Field: 0x50 (DSCP 0x14: Assured Forwarding22; ECN: 0x00)0101 00.. = Differentiated Services Codepoint: AssuredForwarding 22 (0x14)

           .... ..0. = ECN-Capable Transport (ECT): 0
           .... ...0 = ECN-CE: 0
       Total Length: 1262
       Identification: 0x1ee7
       Flags: 0x00
           .0.. = Don't fragment: Not set
           ..0. = More fragments: Not set
       Fragment offset: 0
       Time to live: 43
       Protocol: UDP (0x11)
       Header checksum: 0x79b0 (correct)
       Source: x.x.x.x (x.x.x.x)
       Destination: 192.168.10.2 (192.168.10.2)
       Options: (12 bytes)

Unknown (0x3d) (option length = 226 bytes says option goes pastend of options)

   User Datagram Protocol, Src Port: 21676 (21676), Dst Port: snmp (161)
       Source port: 21676 (21676)
       Destination port: snmp (161)
       Length: 1230
       Checksum: 0x5611
   Simple Network Management Protocol




_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

ICMP type 12 packets Marcus Nelson (Jun 21)
- Re: ICMP type 12 packets Thomas Springer (Jun 21)
- <Possible follow-ups>
- RE: ICMP type 12 packets Jim Harrison (SPG) (Jun 21)