RE: ICMP type 12 packets

From: Jim Harrison (SPG) (jmharr@microsoft.com)
Date: 06/21/02

Previous message: Ryan Russell: "Re: FollowUp: Worm1800.exe on UnderNet?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 21 Jun 2002 13:40:40 -0700
From: "Jim Harrison (SPG)" <jmharr@microsoft.com>
To: "Marcus Nelson" <reaper2100@hotmail.com>, <incidents@securityfocus.com>

Most interesting to me is the 172.22 subnets, since they're not
routable.
Your (or your ISP's) router ACLs should stop that garbage.

* Jim Harrison
MCP(2K), A+, Network+
Services Platform Division

The burden of proof is not satisfied by a lack of evidence to the
contrary..

-----Original Message-----
From: Marcus Nelson [mailto:reaper2100@hotmail.com]
Sent: Friday, June 21, 2002 11:19 AM
To: incidents@securityfocus.com
Subject: ICMP type 12 packets

I am seeing ICMP type 12 packets being returned to my network from
various
locations across the Internet. The weird thing is that the IPs on our
side
are do not seem to be active. I'm wondering if this is some strange
sort of
exploit or just a misconfigured device somewhere.

ICMP Type 12 is a parameter problem. If you look at the Options field
under
ICMP, you will see that this appears to be a SNMP packet from our box to

192.168.10.2. We are running both registered and RFC 1918 addresses.

We have logged about 1400+ packets since May, when they first appeared.

They are destined for 386 unique IPs in our network, across 4 subnets.
The
following networks are returning the ICMP packets:

217.128.205.90 France Telecom IP2000 ADSL BAS wanadoo.fr
216.206.52.1 Outlook Technologies, Inc.
212.13.116.173 Phil Communications, Russia
209.134.172.25 ISS.NET
194.177.33.24 BCN Servicios Telematicos, Spain
193.163.87.30 Nord Data Network, Denmark
172.22.8.2 Internet Assigned Numbers Authority
172.22.2.1 Internet Assigned Numbers Authority
159.76.128.125 San Diego Gas and Electric
80.11.93.160 France Telecom, IP2000-ADSL-BAS, Wanadoo Interactive
205.226.19.193 Ipsilon Networks, Inc

Anyone seen anythign like this before? Thoughts? Comments?

Thanks,

Marc

Here is the sample ICMP packet:

Internet Protocol, Src Addr: 172.22.2.1 (172.22.2.1), Dst Addr: x.x.x.x
(x.x.x.x)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 68
    Identification: 0x7fba
    Flags: 0x00
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 240
    Protocol: ICMP (0x01)
    Header checksum: 0x6639 (correct)
    Source: 172.22.2.1 (172.22.2.1)
    Destination: x.x.x.x (x.x.x.x)
Internet Control Message Protocol
    Type: 12 (Parameter problem)
    Code: 0 (IP header bad)
    Checksum: 0x2fd3 (correct)
    Pointer: 20
    Internet Protocol, Src Addr: x.x.x.x (x.x.x.x), Dst Addr:
192.168.10.2
(192.168.10.2)
        Version: 4
        Header length: 32 bytes
        Differentiated Services Field: 0x50 (DSCP 0x14: Assured
Forwarding
22; ECN: 0x00)
            0101 00.. = Differentiated Services Codepoint: Assured
Forwarding 22 (0x14)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 1262
        Identification: 0x1ee7
        Flags: 0x00
            .0.. = Don't fragment: Not set
            ..0. = More fragments: Not set
        Fragment offset: 0
        Time to live: 43
        Protocol: UDP (0x11)
        Header checksum: 0x79b0 (correct)
        Source: x.x.x.x (x.x.x.x)
        Destination: 192.168.10.2 (192.168.10.2)
        Options: (12 bytes)
            Unknown (0x3d) (option length = 226 bytes says option goes
past
end of options)
    User Datagram Protocol, Src Port: 21676 (21676), Dst Port: snmp
(161)
        Source port: 21676 (21676)
        Destination port: snmp (161)
        Length: 1230
        Checksum: 0x5611
    Simple Network Management Protocol

_________________________________________________________________
Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.

------------------------------------------------------------------------

---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Previous message: Ryan Russell: "Re: FollowUp: Worm1800.exe on UnderNet?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: What could this icmp mean?
... Your devices on the 10.30.1.x network have 10.30.1.254 as their ... default gateway, but traffic to 10.30.0.x needs to go by 10.30.1.1 ... ICMP packets carry, as payload, a portion of the packet that triggered ...
(Security-Basics)
ICMP type 12 packets
... ICMP Type 12 is a parameter problem. ... We have logged about 1400+ packets since May, ... They are destined for 386 unique IPs in our network, ...
(Incidents)
Re: Been a victim of a DDoS
... when the attacker sends spoofed ... source icmp requests to some well-known amplifier networks, ... > of the packets that were arriving into our network. ...
(Incidents)
Re: ICMP payload
... >One of the use of ICMP payload is to find out if the network is able to ... >carry large size packets. ... But can anyone please give out other uses of ICMP ...
(comp.security.misc)
TCP/IP Applications FAQ
... waiting for an ICMP Echo Reply from the host. ... Each trio of packets 'expire' at a succeeding ... Of the rexec protocol. ...
(comp.unix.questions)