Security Incidents mailing list archives

Re: IDS246 Large ICMP Packet

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Thu, 16 Nov 2000 13:40:39 -0500

On Thu, 16 Nov 2000 14:15:55 -0200, Andre Kajita - Administrador da Rede <admin () CAMARASJC SP GOV BR>  said:

[**] IDS246 - MISC - Large ICMP Packet [**]
11/13-12:53:37.296852 32.96.212.11 -> 200.210.111.132
ICMP TTL:247 TOS:0x0 ID:10257  DF
ID:48282   Seq:61662  ECHO

There are over 62 of these alerts in a week's logfile, all of them
with the same ID and Seq (not to mention they are all from the same
origin, 32.96.212.11).


The Dont Fragment bit is set.  Is that IP address (32.96.212.11) one that
you might be connecting to/from (for instance, receiving mail from?).  Many
systems (AIX 4.3.3 among others) use a MTU-sized ICMP Echo with the DF bit
set to implement Path MTU Discovery.
--
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description:

Current thread:

IDS246 Large ICMP Packet Andre Kajita - Administrador da Rede (Nov 17)
- Re: IDS246 Large ICMP Packet Jan Muenther (Nov 18)
- Re: IDS246 Large ICMP Packet Valdis Kletnieks (Nov 18)
- <Possible follow-ups>
- Re: IDS246 Large ICMP Packet Bevan, Graham (Nov 18)