Security Incidents mailing list archives

RE: ICMP Scan

From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 23 Mar 2004 10:15:09 -0800

  I don't have traffic captures, but something certainly seems 
to have been loading some of the Internet backbones starting
about 4pm (PST) yesterday and tapering off around 8:30am (PST)
this morning.  The Witty worm, perhaps?

Dave Gillett

-----Original Message-----
From: tim logan [mailto:seclists () getemail net]
Sent: Tuesday, March 23, 2004 8:04 AM
To: incidents () securityfocus com
Subject: ICMP Scan


I saw this traffic last night on an IDS system inside a 
firewall.  Can 
somebody shed some light on it?  It looks to me like the 
purpose is to 
determine the number of hops to the host in question.  If it is, what 
would be the purpose?

(Internal IP address changed to 1.2.3.4)

19:05:40.869387 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 109, id 23236, len 112)
19:05:40.869668 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 108, id 23236, len 112)
19:05:40.869984 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 107, id 23236, len 112)
19:05:40.870222 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 106, id 23236, len 112)
19:05:40.870509 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 105, id 23236, len 112)

<<<< many packets removed for brevity's sake >>>>

19:05:40.895191 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 6, id 23236, len 112)
19:05:40.895477 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 5, id 23236, len 112)
19:05:40.895686 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 4, id 23236, len 112)
19:05:40.895973 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 3, id 23236, len 112)
19:05:40.896181 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag (ttl 2, id 23236, len 112)
19:05:40.896473 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202 
unreachable - need to frag [ttl 1] (id 23236, len 112)


--------------------------------------------------------------
-------------
Free 30-day trial: firewall with virus/spam protection, URL 
filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other 
risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and 
lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
--------------------------------------------------------------
--------------


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------

Current thread:

ICMP Scan tim logan (Mar 23)
- Re: ICMP Scan Bill Weiss (Mar 23)
- RE: ICMP Scan David Gillett (Mar 23)
- Re: ICMP Scan Chris Brenton (Mar 23)