Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: traceroute ICMP packets

Re: traceroute ICMP packets

From: Larry Canup <larry_canup_at_RAC.RAY.COM>
Date: Tue, 18 Jan 2000 17:07:01 -0000

We see this a lot. It concerned me greatly, at first.

What is likely happening is that you are having latency scans being done on behalf of sites that you have visited. The site was part of a large ISP or organization that has multiple points of entry to the Internet. To tune their networks, they do network latency tests. Director products such as 3DNS will basically determine that someone from your address space has visited. From then on, they perform latency test periodlically to determine the best route back to you.

If it concerns you, you can trace them down and ask them to exclude you from the latency tests. Some cooperate.... Some don't.

LarryC

>>>>>>>>>>>>>>>>

Greetings. Recently I have noticed a great deal of activity similar to this as well from a number of sources. Here's some snips from my PIX log. Anyone have ideas what they may be trying accomplish? (Identify routers?) What makes me nervous is that they somehow found the address to my internal interface and this is where they are focusing their efforts.

Jan 3 03:12:57 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 216.52.58.2/39933 to xxx.xxx.x.x/33474
Jan 3 03:12:59 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 140.239.162.2/40168 to xxx.xxx.x.x/33469
Jan 3 03:13:02 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 216.52.58.2/39933 to xxx.xxx.x.x/33475
Jan 3 03:13:04 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 140.239.162.2/40168 to xxx.xxx.x.x/33470
Jan 3 03:13:07 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 216.52.58.2/39933 to xxx.xxx.x.x/33476
Jan 3 03:13:09 [xxx.xxx.x.x.x.x.x] %PIX-: Deny inbound UDP from 140.239.162.2/40168 to xxx.xxx.x.x/33471

Here's some of the addresses constantly banging away at us.

198.170.164.3, 206.86.106.3, 212.36.169.97, 193.173.76.2, 195.54.95.3, 168.143.224.18, 195.8.99.162, 194.133.52.3, 212.23.226.3, 212.121.130.40, 193.127.46.2, 193.65.199.3, 203.79.87.3 - and there's plenty more where that came from if anyone is interested.

Again - if anyone has any insight as to what may be going on please let me know. Thank you all for your time.

-Matthew

Hello,

My Linux box has recently logged some traceroute ICMP packets. Of course,
I did not traceroute these hosts. (Packets from hosts between my
computer and the source IPs are missing as well.)

Do you have any idea what this can be?

Here are the (ipchains) logs:
(x.y.u.v is the IP address of myhost)

Jan 3 15:29:54 myhost kernel: Packet log: input ACCEPT eth0 PROTO=1
        167.216.136.2:11 x.y.u.v:0 L=56 S=0xC0 I=21545 F=0x0000 T=247
Jan 3 15:30:07 myhost kernel: Packet log: input ACCEPT eth0 PROTO=1
        212.59.199.41:11 x.y.u.v:0 L=56 S=0x00 I=3106 F=0x0000 T=237
Jan 3 15:30:16 myhost kernel: Packet log: input ACCEPT eth0 PROTO=1
        212.59.199.41:11 x.y.u.v:0 L=56 S=0x00 I=3124 F=0x0000 T=237
Jan 3 15:30:23 myhost kernel: Packet log: input ACCEPT eth0 PROTO=1
        167.216.136.2:11 x.y.u.v:0 L=56 S=0xC0 I=21986 F=0x0000 T=247
... (more packets from these hosts with similar delays between them)

Laszlo
Received on Jan 19 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos