Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unusual ICMP Traffic

From: Brett Glass <brett () lariat org>
Date: Tue, 22 Oct 2002 20:25:35 -0600
At 01:53 AM 10/22/2002, jeff () thepostmaster net wrote:


I am looking for help concerning some unusual ICMP traffic I am seeing.
Specifically, I am seeing inbound ICMP (type 38 code 37) with some unusual
data in the ICMP data field (see below).  I am seeing multiple source IP's
(outside) to multiple destination IP's (inside).  All the source IP's have
ttl's of the low 100's or in the 40 range.  This could indicate possible
spoof source from two different locations.

I have been seeing alot of "http" type data and more recently the "reverse
connect to me" message within the ICMP data field.

Has anyone seen this type of ICMP traffic?


Paul Vixie reports that some of the traffic that was directed at the
DNS root servers during the recent DDoS attempt consisted of unusual
ICMP packets with spoofed addresses. I wonder if you're seeing the same tool
that was used in the attacks.

--Brett Glass


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: