Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ICMP type 12 packets

From: "Jim Harrison (SPG)" <jmharr () microsoft com>
Date: Fri, 21 Jun 2002 13:40:40 -0700
Most interesting to me is the 172.22 subnets, since they're not
routable.
Your (or your ISP's) router ACLs should stop that garbage.

* Jim Harrison 
MCP(2K), A+, Network+
Services Platform Division

The burden of proof is not satisfied by a lack of evidence to the
contrary..



-----Original Message-----
From: Marcus Nelson [mailto:reaper2100 () hotmail com] 
Sent: Friday, June 21, 2002 11:19 AM
To: incidents () securityfocus com
Subject: ICMP type 12 packets


I am seeing ICMP type 12 packets being returned to my network from
various 
locations across the Internet.  The weird thing is that the IPs on our
side 
are do not seem to be active.  I'm wondering if this is some strange
sort of 
exploit or just a misconfigured device somewhere.

ICMP Type 12 is a parameter problem.  If you look at the Options field
under 
ICMP, you will see that this appears to be a SNMP packet from our box to

192.168.10.2.  We are running both registered and RFC 1918 addresses.

We have logged about 1400+ packets since May, when they first appeared.

They are destined for 386 unique IPs in our network, across 4 subnets.
The 
following networks are returning the ICMP packets:

217.128.205.90  France Telecom IP2000 ADSL BAS  wanadoo.fr
216.206.52.1    Outlook Technologies, Inc.
212.13.116.173  Phil Communications, Russia
209.134.172.25  ISS.NET
194.177.33.24   BCN Servicios Telematicos, Spain
193.163.87.30   Nord Data Network, Denmark
172.22.8.2      Internet Assigned Numbers Authority
172.22.2.1      Internet Assigned Numbers Authority
159.76.128.125  San Diego Gas and Electric
80.11.93.160    France Telecom, IP2000-ADSL-BAS, Wanadoo Interactive
205.226.19.193  Ipsilon Networks, Inc

Anyone seen anythign like this before?  Thoughts? Comments?

Thanks,

Marc

Here is the sample ICMP packet:

Internet Protocol, Src Addr: 172.22.2.1 (172.22.2.1), Dst Addr: x.x.x.x 
(x.x.x.x)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 68
    Identification: 0x7fba
    Flags: 0x00
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 240
    Protocol: ICMP (0x01)
    Header checksum: 0x6639 (correct)
    Source: 172.22.2.1 (172.22.2.1)
    Destination: x.x.x.x (x.x.x.x)
Internet Control Message Protocol
    Type: 12 (Parameter problem)
    Code: 0 (IP header bad)
    Checksum: 0x2fd3 (correct)
    Pointer: 20
    Internet Protocol, Src Addr: x.x.x.x (x.x.x.x), Dst Addr:
192.168.10.2 
(192.168.10.2)
        Version: 4
        Header length: 32 bytes
        Differentiated Services Field: 0x50 (DSCP 0x14: Assured
Forwarding 
22; ECN: 0x00)
            0101 00.. = Differentiated Services Codepoint: Assured 
Forwarding 22 (0x14)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 1262
        Identification: 0x1ee7
        Flags: 0x00
            .0.. = Don't fragment: Not set
            ..0. = More fragments: Not set
        Fragment offset: 0
        Time to live: 43
        Protocol: UDP (0x11)
        Header checksum: 0x79b0 (correct)
        Source: x.x.x.x (x.x.x.x)
        Destination: 192.168.10.2 (192.168.10.2)
        Options: (12 bytes)
            Unknown (0x3d) (option length = 226 bytes says option goes
past 
end of options)
    User Datagram Protocol, Src Port: 21676 (21676), Dst Port: snmp
(161)
        Source port: 21676 (21676)
        Destination port: snmp (161)
        Length: 1230
        Checksum: 0x5611
    Simple Network Management Protocol




_________________________________________________________________
Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: