[Dshield] Is this normal?
jsage at finchhaven.com
Sun Jun 23 17:06:30 GMT 2002
On Sun, Jun 23, 2002 at 02:11:40PM +0000, E.B. Dreger wrote:
> SG> Date: Sun, 23 Jun 2002 09:36:15 +0200
> SG> From: Stephane Grobety
> SG> JU> ICMP Time Exceeded is a fragmentation error.
> SG> Ah... no, it's not... It's a TTL exceeded.
> I got to thinking... I assumed Mercy to mean she received an ICMP
> type 11 + code 0. If it's code 1, that's a "fragment reassembly
> time exceeded"... which I _think_ can be generated by a host, but
> don't quote me on that.
Interestingly enough (but somehow not surprising..), apparently
ZoneAlarm doesn't feel that the user will need to know all the gory
details of an alert, so we get "Time exceeded" but not the actual ICMP
type:code pair which would be of real use in understanding what's
> Perhaps somebody was scanning www.microsoft.com using packet
> fragments, and a big mess of source addresses in an attempt to
> obfuscate their own IP. i.e., maybe Mercy is seeing backscatter
> from someone trying to scan MS.
"You are in a little maze of twisty passages, all different."
PGP key http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
More information about the list