ICMP Scan

From: tim logan (seclists_at_getemail.net)
Date: 03/23/04

  • Next message: Bill Weiss: "Re: ICMP Scan"
    Date: Tue, 23 Mar 2004 10:03:39 -0600
    To: incidents@securityfocus.com
    
    

    I saw this traffic last night on an IDS system inside a firewall. Can
    somebody shed some light on it? It looks to me like the purpose is to
    determine the number of hops to the host in question. If it is, what
    would be the purpose?

    (Internal IP address changed to 1.2.3.4)

    19:05:40.869387 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    unreachable - need to frag (ttl 109, id 23236, len 112)
    19:05:40.869668 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    unreachable - need to frag (ttl 108, id 23236, len 112)
    19:05:40.869984 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    unreachable - need to frag (ttl 107, id 23236, len 112)
    19:05:40.870222 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    unreachable - need to frag (ttl 106, id 23236, len 112)
    19:05:40.870509 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    unreachable - need to frag (ttl 105, id 23236, len 112)

    <<<< many packets removed for brevity's sake >>>>

    19:05:40.895191 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    unreachable - need to frag (ttl 6, id 23236, len 112)
    19:05:40.895477 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    unreachable - need to frag (ttl 5, id 23236, len 112)
    19:05:40.895686 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    unreachable - need to frag (ttl 4, id 23236, len 112)
    19:05:40.895973 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    unreachable - need to frag (ttl 3, id 23236, len 112)
    19:05:40.896181 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    unreachable - need to frag (ttl 2, id 23236, len 112)
    19:05:40.896473 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    unreachable - need to frag [ttl 1] (id 23236, len 112)

    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of
    ownership.

    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_incidents_040301
    ----------------------------------------------------------------------------


  • Next message: Bill Weiss: "Re: ICMP Scan"

    Relevant Pages

    • Re: blocking p2p traffic
      ... If client use only DNS resolver under your control, ... using OpenBSD firewall pf, namely feature called 'table'(list ... > Security Linux, the comprehensive security solution that combines six ...
      (Focus-IDS)
    • Re: iptables/netfilter logs viewer/analyzer
      ... > iptables/netfilter logs. ... firewall with virus/spam protection, URL filtering, VPN, wireless security ... Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. ...
      (Incidents)
    • Re: ICMP Scan
      ... firewall with virus/spam protection, URL filtering, VPN, ... Security Linux, the comprehensive security solution that combines six ...
      (Incidents)
    • Re: Interesting DNS update traffic
      ... firewall with virus/spam protection, URL filtering, VPN, ... Security Linux, the comprehensive security solution that combines six ...
      (Incidents)
    • [REVS] Bypassing Client Application Protection Techniques
      ... Get your security news from a reliable source. ... protection programs. ... * Kerio Personal Firewall 4.0 ... And we got actually nothing in the field of client application ...
      (Securiteam)