Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: spoofed ICMP 3/1's - what is the tool or goal here?
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: spoofed ICMP 3/1's - what is the tool or goal here?
  • From: slim bones <[EMAIL PROTECTED]>
  • Date: Sun, 14 Jan 2001 22:38:22 +0100
  • In-reply-to: <[EMAIL PROTECTED]>
.
 
Howdy,

Although that's annoying, it's not going to hurt anything.  Whoever's
doing it can't gain any information from this activity.  By itself it's
not a threat.  However, it could be intended as a distraction from other
activity against your net.

s.b -> azimuth

On Fri, Jan 05, 2001 at 11:22:48PM -0600, Glenn Forbes Fleming Larratt wrote:
> We're seeing increasing numbers of the traffic represented below - a
> large amount of ICMP 3/1's, spoofed as being from a router port in a
> major tier 1 or 2, all across our network.
>
> I'm particularly curious about the groups of 119. "my.net" below is, of
> course, our class B, which is subnetted at 8 bits; in every instance where
> 119 (sometimes 118) packets are sent at once, the target is on an
> unallocated subnet, to which traceroutes would !X out - but not all
> unallocated subnets generate the large slew of packets.
>
> Has anyone else seen this? Is this a threat? Any info gratefully received.
>
> 	-g
>
> --
> Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-)
> [EMAIL PROTECTED]                        http://www.io.com/~glratt
> There are imaginary bugs to chase in heaven.
>
> ---------- Forwarded message ----------
> Jan  5 01:04:46 icmp BAD.GUY.NET.NODE -> my.net.76.19 (3/1), 119 packets
> Jan  5 01:05:00 icmp BAD.GUY.NET.NODE -> my.net.92.8 (3/1), 1 packet
> Jan  5 01:05:09 icmp BAD.GUY.NET.NODE -> my.net.185.13 (3/1), 1 packet
> Jan  5 01:05:11 icmp BAD.GUY.NET.NODE -> my.net.150.55 (3/1), 1 packet
> Jan  5 01:05:21 icmp BAD.GUY.NET.NODE -> my.net.82.13 (3/1), 1 packet
> Jan  5 01:05:33 icmp BAD.GUY.NET.NODE -> my.net.229.60 (3/1), 1 packet
> Jan  5 01:06:00 icmp BAD.GUY.NET.NODE -> my.net.37.20 (3/1), 1 packet
> Jan  5 01:06:02 icmp BAD.GUY.NET.NODE -> my.net.149.87 (3/1), 1 packet
> Jan  5 01:06:19 icmp BAD.GUY.NET.NODE -> my.net.148.93 (3/1), 1 packet
> Jan  5 01:06:27 icmp BAD.GUY.NET.NODE -> my.net.110.125 (3/1), 1 packet
> Jan  5 01:06:33 icmp BAD.GUY.NET.NODE -> my.net.122.92 (3/1), 1 packet
> Jan  5 01:06:36 icmp BAD.GUY.NET.NODE -> my.net.152.51 (3/1), 1 packet
> Jan  5 01:07:34 icmp BAD.GUY.NET.NODE -> my.net.207.94 (3/1), 1 packet
> Jan  5 01:07:50 icmp BAD.GUY.NET.NODE -> my.net.136.125 (3/1), 119 packets
> Jan  5 01:07:54 icmp BAD.GUY.NET.NODE -> my.net.248.14 (3/1), 1 packet
> Jan  5 01:07:56 icmp BAD.GUY.NET.NODE -> my.net.246.107 (3/1), 1 packet
> Jan  5 01:08:01 icmp BAD.GUY.NET.NODE -> my.net.11.85 (3/1), 119 packets
> Jan  5 01:08:07 icmp BAD.GUY.NET.NODE -> my.net.79.4 (3/1), 119 packets
> Jan  5 01:08:15 icmp BAD.GUY.NET.NODE -> my.net.133.39 (3/1), 1 packet
> Jan  5 01:08:32 icmp BAD.GUY.NET.NODE -> my.net.202.96 (3/1), 1 packet
> Jan  5 01:08:36 icmp BAD.GUY.NET.NODE -> my.net.139.109 (3/1), 119 packets
> Jan  5 01:08:38 icmp BAD.GUY.NET.NODE -> my.net.184.46 (3/1), 119 packets
> Jan  5 01:08:47 icmp BAD.GUY.NET.NODE -> my.net.92.49 (3/1), 1 packet
<rip>
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.