I've been seeing this traffic for ages, and I have had some luck at locating
the source of some of it.
As you say someone is spoofing your addresses (presumably as decoys
while scanning).
1) try to elicit an icmp error message from the "router" sending the
unreachable message (udp traceroute is good).
2) if the TTL of the 2 ICMP messages match, you can probably assume the
router sent the original ICMP unreachable message/
As you say the ICMP message includes the IP header of the packet which could
not be delivered.
3) Look at the IP header of the included packet. If the TTL is close to
(within 1 or 2 of) one of the default initial TTLs (255, 128, 64, 32)
you can be pretty sure that the host spoofing your addresses is behind
that border router.
I actually have a tcpdump script that looks for these packets, dumps them
in hex, and e-mails them to me.
Good luck, and happy hunting.
Don
P.S. Now that I've said how we can detect them, I bet they modify the
stimulus packets. :-(
Received on Oct 05 2000
Intro
