[Dshield] Is this normal?

John Sage jsage at finchhaven.com
Sun Jun 23 17:06:30 GMT 2002

On Sun, Jun 23, 2002 at 02:11:40PM +0000, E.B. Dreger wrote:
> SG> Date: Sun, 23 Jun 2002 09:36:15 +0200
> SG> From: Stephane Grobety
> SG> JU> ICMP Time Exceeded is a fragmentation error.
> SG> 
> SG> Ah... no, it's not... It's a TTL exceeded.
> I got to thinking... I assumed Mercy to mean she received an ICMP
> type 11 + code 0.  If it's code 1, that's a "fragment reassembly
> time exceeded"... which I _think_ can be generated by a host, but
> don't quote me on that.

Interestingly enough (but somehow not surprising..), apparently
ZoneAlarm doesn't feel that the user will need to know all the gory
details of an alert, so we get "Time exceeded" but not the actual ICMP
type:code pair which would be of real use in understanding what's
going on.

> Perhaps somebody was scanning www.microsoft.com using packet
> fragments, and a big mess of source addresses in an attempt to
> obfuscate their own IP.  i.e., maybe Mercy is seeing backscatter
> from someone trying to scan MS.

A possibility...

- John
"You are in a little maze of twisty passages, all different."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 

More information about the list mailing list