Security Incidents mailing list archives
Re: Unusual ICMP Traffic
From: Brett Glass <brett () lariat org>
Date: Tue, 22 Oct 2002 20:25:35 -0600
At 01:53 AM 10/22/2002, jeff () thepostmaster net wrote:
I am looking for help concerning some unusual ICMP traffic I am seeing. Specifically, I am seeing inbound ICMP (type 38 code 37) with some unusual data in the ICMP data field (see below). I am seeing multiple source IP's (outside) to multiple destination IP's (inside). All the source IP's have ttl's of the low 100's or in the 40 range. This could indicate possible spoof source from two different locations. I have been seeing alot of "http" type data and more recently the "reverse connect to me" message within the ICMP data field. Has anyone seen this type of ICMP traffic?
Paul Vixie reports that some of the traffic that was directed at the DNS root servers during the recent DDoS attempt consisted of unusual ICMP packets with spoofed addresses. I wonder if you're seeing the same tool that was used in the attacks. --Brett Glass ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Unusual ICMP Traffic jeff (Oct 22)
- Re: Unusual ICMP Traffic Brett Glass (Oct 22)
- Re: Unusual ICMP Traffic Gary Flynn (Oct 22)