RE: ICMP Scan
From: David Gillett (gillettdavid_at_fhda.edu)
Date: 03/23/04
- Previous message: Steven Trewick: "new variant of witty worm ????"
- In reply to: tim logan: "ICMP Scan"
- Next in thread: Chris Brenton: "Re: ICMP Scan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'tim logan'" <seclists@getemail.net>, <incidents@securityfocus.com> Date: Tue, 23 Mar 2004 10:15:09 -0800
I don't have traffic captures, but something certainly seems
to have been loading some of the Internet backbones starting
about 4pm (PST) yesterday and tapering off around 8:30am (PST)
this morning. The Witty worm, perhaps?
Dave Gillett
> -----Original Message-----
> From: tim logan [mailto:seclists@getemail.net]
> Sent: Tuesday, March 23, 2004 8:04 AM
> To: incidents@securityfocus.com
> Subject: ICMP Scan
>
>
> I saw this traffic last night on an IDS system inside a
> firewall. Can
> somebody shed some light on it? It looks to me like the
> purpose is to
> determine the number of hops to the host in question. If it is, what
> would be the purpose?
>
> (Internal IP address changed to 1.2.3.4)
>
> 19:05:40.869387 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
> unreachable - need to frag (ttl 109, id 23236, len 112)
> 19:05:40.869668 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
> unreachable - need to frag (ttl 108, id 23236, len 112)
> 19:05:40.869984 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
> unreachable - need to frag (ttl 107, id 23236, len 112)
> 19:05:40.870222 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
> unreachable - need to frag (ttl 106, id 23236, len 112)
> 19:05:40.870509 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
> unreachable - need to frag (ttl 105, id 23236, len 112)
>
> <<<< many packets removed for brevity's sake >>>>
>
> 19:05:40.895191 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
> unreachable - need to frag (ttl 6, id 23236, len 112)
> 19:05:40.895477 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
> unreachable - need to frag (ttl 5, id 23236, len 112)
> 19:05:40.895686 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
> unreachable - need to frag (ttl 4, id 23236, len 112)
> 19:05:40.895973 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
> unreachable - need to frag (ttl 3, id 23236, len 112)
> 19:05:40.896181 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
> unreachable - need to frag (ttl 2, id 23236, len 112)
> 19:05:40.896473 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
> unreachable - need to frag [ttl 1] (id 23236, len 112)
>
>
> --------------------------------------------------------------
> -------------
> Free 30-day trial: firewall with virus/spam protection, URL
> filtering, VPN,
> wireless security
>
> Protect your network against hackers, viruses, spam and other
> risks with Astaro
> Security Linux, the comprehensive security solution that combines six
> applications in one software solution for ease of use and
> lower total cost of
> ownership.
>
> Download your free trial at
> http://www.securityfocus.com/sponsor/Astaro_incidents_040301
> --------------------------------------------------------------
> --------------
>
---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security
Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.
Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------
- Previous message: Steven Trewick: "new variant of witty worm ????"
- In reply to: tim logan: "ICMP Scan"
- Next in thread: Chris Brenton: "Re: ICMP Scan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
