Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

odd icmp broadcast scan
From: jlewis () LEWIS ORG (Jon Lewis)
Date: Mon, 13 Mar 2000 01:32:30 -0500

I just found this in the packet filter logs for a client's
network I help maintain and thought it was very odd.

Mar 12 17:33:27 gw ASCEND: wan1 8/0/icmp xxx.yyy.zzz.0 <- 66.23.21.3 42 !pass (t
oping-1)
Mar 12 17:33:27 gw ASCEND: wan1 8/0/icmp xxx.yyy.zzz.0 <- 64.24.41.130 42 !pass
(toping-1)
Mar 12 17:33:27 gw ASCEND: wan1 8/0/icmp xxx.yyy.zzz.0 <- 69.69.69.69 42 !pass (
toping-1)
Mar 12 17:33:27 gw ASCEND: wan1 8/0/icmp xxx.yyy.zzz.0 <- 104.104.104.104 42 !pa
ss (toping-1)

The second one is from (or claims to be from) a popsite.net dialup...a
frequent source of spam and perhaps hackers.  The rest are all likely
forged and have source addresses in IANA reserved IP space.  Anyone have
a clue what's to be gained by pinging the network address from out on
the internet using reserved block source addresses?

----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  Spammers will be winnuked or
 System Administrator        |  nestea'd...whatever it takes
 Atlantic Net                |  to get the job done.
_________http://www.lewis.org/~jlewis/pgp for PGP public key__________

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]