Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Unusual ICMP Traffic
From: Brett Glass <brett () lariat org>
Date: Tue, 22 Oct 2002 20:25:35 -0600
At 01:53 AM 10/22/2002, jeff () thepostmaster net wrote:


I am looking for help concerning some unusual ICMP traffic I am seeing.
Specifically, I am seeing inbound ICMP (type 38 code 37) with some unusual
data in the ICMP data field (see below).  I am seeing multiple source IP's
(outside) to multiple destination IP's (inside).  All the source IP's have
ttl's of the low 100's or in the 40 range.  This could indicate possible
spoof source from two different locations.

I have been seeing alot of "http" type data and more recently the "reverse
connect to me" message within the ICMP data field.

Has anyone seen this type of ICMP traffic?


Paul Vixie reports that some of the traffic that was directed at the
DNS root servers during the recent DDoS attempt consisted of unusual
ICMP packets with spoofed addresses. I wonder if you're seeing the same tool
that was used in the attacks.

--Brett Glass


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]