Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: ICMP time exceed in-transit packets

Re: ICMP time exceed in-transit packets

From: White, Tim <Tim.White_at_CI.AUSTIN.TX.US>
Date: Fri, 31 Dec 1999 18:35:06 -0600

I am getting these destined for networks behind my firewall (application
gateway), which does not pass ANY ICMP, in or out. They are also destined
for 24 bit network addresses (i.e. 172.16.12.0). What is really odd about
these is that they are slowly covering my entire class B at early morning
hours. They are sourced from about 20 routers covering a broad area.

I reviewed my IDS logs on my internet connection, and no stimulus exists
(i.e. no outbound traceroute).

I find this one a bit odd.

> -----Original Message-----
> From: Rob Quinn [SMTP:rquinn_at_SEC.SPRINT.NET]
> Sent: Thursday, December 30, 1999 12:31 PM
> To: INCIDENTS_at_SECURITYFOCUS.COM
> Subject: Re: ICMP time exceed in-transit packets
>
> > 22:32:06.344676 210.207.190.33 > sanitized.84.0: icmp: time exceeded
> in-transit
>
> You get these back from tracerouting, or when a packet takes too many
> hops,
> usually due to a routing loop. 210.207.190.33 is a cisco.
> An older version of some popular software (Nuke Nabber?) identifies these
> packets as an attack, causing us to receive tons of semi-automated
> compliants
> about or backbone routers.
>
> --
> | Opinions are _mine_, facts Rob Quinn
> |
> | are facts. (703)689-6582
> |
> | rquinn_at_sec.sprint.net
> |
> | Sprint Corporate Security
> |
Received on Jan 01 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos