RE: ICMP Scan

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 03/23/04

  • Next message: Chris Brenton: "Re: ICMP Scan"
    To: "'tim logan'" <seclists@getemail.net>, <incidents@securityfocus.com>
    Date: Tue, 23 Mar 2004 10:15:09 -0800
    
    

      I don't have traffic captures, but something certainly seems
    to have been loading some of the Internet backbones starting
    about 4pm (PST) yesterday and tapering off around 8:30am (PST)
    this morning. The Witty worm, perhaps?

    Dave Gillett

    > -----Original Message-----
    > From: tim logan [mailto:seclists@getemail.net]
    > Sent: Tuesday, March 23, 2004 8:04 AM
    > To: incidents@securityfocus.com
    > Subject: ICMP Scan
    >
    >
    > I saw this traffic last night on an IDS system inside a
    > firewall. Can
    > somebody shed some light on it? It looks to me like the
    > purpose is to
    > determine the number of hops to the host in question. If it is, what
    > would be the purpose?
    >
    > (Internal IP address changed to 1.2.3.4)
    >
    > 19:05:40.869387 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    > unreachable - need to frag (ttl 109, id 23236, len 112)
    > 19:05:40.869668 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    > unreachable - need to frag (ttl 108, id 23236, len 112)
    > 19:05:40.869984 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    > unreachable - need to frag (ttl 107, id 23236, len 112)
    > 19:05:40.870222 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    > unreachable - need to frag (ttl 106, id 23236, len 112)
    > 19:05:40.870509 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    > unreachable - need to frag (ttl 105, id 23236, len 112)
    >
    > <<<< many packets removed for brevity's sake >>>>
    >
    > 19:05:40.895191 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    > unreachable - need to frag (ttl 6, id 23236, len 112)
    > 19:05:40.895477 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    > unreachable - need to frag (ttl 5, id 23236, len 112)
    > 19:05:40.895686 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    > unreachable - need to frag (ttl 4, id 23236, len 112)
    > 19:05:40.895973 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    > unreachable - need to frag (ttl 3, id 23236, len 112)
    > 19:05:40.896181 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    > unreachable - need to frag (ttl 2, id 23236, len 112)
    > 19:05:40.896473 68.186.254.202 > 1.2.3.4: icmp: 68.186.254.202
    > unreachable - need to frag [ttl 1] (id 23236, len 112)
    >
    >
    > --------------------------------------------------------------
    > -------------
    > Free 30-day trial: firewall with virus/spam protection, URL
    > filtering, VPN,
    > wireless security
    >
    > Protect your network against hackers, viruses, spam and other
    > risks with Astaro
    > Security Linux, the comprehensive security solution that combines six
    > applications in one software solution for ease of use and
    > lower total cost of
    > ownership.
    >
    > Download your free trial at
    > http://www.securityfocus.com/sponsor/Astaro_incidents_040301
    > --------------------------------------------------------------
    > --------------
    >

    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of
    ownership.

    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_incidents_040301
    ----------------------------------------------------------------------------


  • Next message: Chris Brenton: "Re: ICMP Scan"

    Relevant Pages

    • RE: Entercept HIDS Question
      ... Entercept only to give up after two months of silence.. ... > Protect your network against hackers, viruses, spam and other ... > risks with Astaro Security Linux, ... the comprehensive security solution that combines six ...
      (Focus-IDS)
    • RE: Entercept HIDS Question
      ... Subject: Entercept HIDS Question ... > Protect your network against hackers, viruses, spam and other ... > risks with Astaro Security Linux, ... the comprehensive security solution that combines six ...
      (Focus-IDS)
    • RE: Entercept HIDS Question
      ... Entercept only to give up after two months of silence.. ... > Protect your network against hackers, viruses, spam and other ... > risks with Astaro Security Linux, ... the comprehensive security solution that combines six ...
      (Focus-IDS)
    • RE: blocking p2p traffic
      ... than the Packeteer, but IMHO performs better then the Packeteer. ... >> Protect your network against hackers, viruses, spam and other risks with ... >> Security Linux, the comprehensive security solution that combines six ...
      (Focus-IDS)
    • Re: Possible break in
      ... I had ran strings on it too, and tried to find some of the strings on ... >> Security Linux, the comprehensive security solution that combines six ... Protect your network against hackers, viruses, spam and other risks with Astaro ...
      (Incidents)