Re: ICMP Type:8 Code:137
From: Allan Kjeldbjerg (Acom Internet ApS) (allan_at_acom-net.dk)
Date: 10/28/05
- Previous message: Justin: "Re: Who is looking for port 2036?"
- In reply to: Justin: "Re: ICMP Type:8 Code:137"
- Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: ICMP Type:8 Code:137"
- Maybe reply: mutiger_jh_at_yahoo.com: "Re: Re: ICMP Type:8 Code:137"
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: ICMP Type:8 Code:137"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Justin" <justinvinn@gmail.com>, <mutiger_jh@yahoo.com> Date: Fri, 28 Oct 2005 21:18:27 +0200
Hi _mutiger_jh,
Yes I have notice the increase of the same packets. They could be spoofed
but the one I currently
notice originate from China and is distributed via ISP's in New York.
Concurrently with these packets we expirence non terminating TCP connections
on our Windows platform.
- Could there be a connection between the two? Anyone noticed the same
pattern?
/allan
----- Original Message -----
From: "Justin" <justinvinn@gmail.com>
To: <mutiger_jh@yahoo.com>
Cc: <incidents@securityfocus.com>
Sent: Friday, October 28, 2005 8:11 PM
Subject: Re: ICMP Type:8 Code:137
> Mutiger_jh,
>
> It could indeed be a recon technique (the traceroute makes me think
> that even more). Custom ICMP programs are not that difficult to make,
> so maybe somebody is using your system(s) as a testing ground?
>
> This also reminds me of xprobe2. Doesn't that send ICMP like what you
> described? Are these targetd in sweeps across your netrange, or is it
> just against one specific host.
>
> Hope some of that helped...
>
> peace,
> --Justin
>
> On 28 Oct 2005 03:12:09 -0000, mutiger_jh@yahoo.com
> <mutiger_jh@yahoo.com> wrote:
>> We have been seeing a good number of ICMP - echo requests coming in
>> bursts having a code of 137 in the last couple of days. The burst do not
>> last long but are sometimes preceeded by a traceroute. No other traffice
>> follows from the source hosts. There is no payload in the packets. My
>> research into what or why this is happening has turned up nothing.
>>
>> Has any one heard of any attacks or recon using this code?
>>
>
- Previous message: Justin: "Re: Who is looking for port 2036?"
- In reply to: Justin: "Re: ICMP Type:8 Code:137"
- Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: ICMP Type:8 Code:137"
- Maybe reply: mutiger_jh_at_yahoo.com: "Re: Re: ICMP Type:8 Code:137"
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: ICMP Type:8 Code:137"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
