[Dshield] Is this normal?

E.B. Dreger eddy+public+spam at noc.everquick.net
Sun Jun 23 14:11:40 GMT 2002


SG> Date: Sun, 23 Jun 2002 09:36:15 +0200
SG> From: Stephane Grobety


SG> JU> ICMP Time Exceeded is a fragmentation error.
SG> 
SG> Ah... no, it's not... It's a TTL exceeded.

I got to thinking... I assumed Mercy to mean she received an ICMP
type 11 + code 0.  If it's code 1, that's a "fragment reassembly
time exceeded"... which I _think_ can be generated by a host, but
don't quote me on that.

Perhaps somebody was scanning www.microsoft.com using packet
fragments, and a big mess of source addresses in an attempt to
obfuscate their own IP.  i.e., maybe Mercy is seeing backscatter
from someone trying to scan MS.


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist at brics.com>
To: blacklist at brics.com
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist at brics.com>, or you are likely to
be blocked.




More information about the list mailing list