Re: ICMP Type:8 Code:137

Valdis.Kletnieks_at_vt.edu
Date: 10/29/05


To: "Allan Kjeldbjerg (Acom Internet ApS)" <allan@acom-net.dk>
Date: Fri, 28 Oct 2005 19:56:58 -0400


On Fri, 28 Oct 2005 21:18:27 +0200, "Allan Kjeldbjerg (Acom Internet ApS)" said:
> Hi _mutiger_jh,
>
> Yes I have notice the increase of the same packets. They could be spoofed
> but the one I currently
> notice originate from China and is distributed via ISP's in New York.
>
> Concurrently with these packets we expirence non terminating TCP connections
> on our Windows platform.
> - Could there be a connection between the two? Anyone noticed the same
> pattern?

Out of curiosity, are these fragged packets? I'm wondering if the first frag
is getting lost and something's misinterpreting a 2nd or following frag - remember
that the *real* TCP/UPD/ICMP header is only in the first frag. So if your
monitoring tool looks at a subsequent frag, it could be minsinterpreting the
payload as header (similar to the tool that misinterpreted an ICMP as UDP and got
a port number instead of a ICMP type/code).