[Dshield] Strange ICMP traffic (many Host Unreachables, random destinations )

Kelly Martin kellym at fb00.fb.org
Mon Mar 18 14:45:50 GMT 2002


This past Sunday our firewall blocked ICMP Host Unreachable messages from
various IPs to apparently every IP address on one of our four Class C
netblocks, in no particular order.  I haven't actually checked to make sure
that every address was represented; many addresses were repeated and no
order is apparent.  The list of addresses to which messages were sent
includes addresses allocated to no device at all or to devices not
configured with a valid default gateway (so they can't send packets out of
the network even if they wanted to as they don't know how).

The source IPs are 204.255.168.85 (a WorldCom backbone router in
Sacramento), 144.232.9.154 (a SprintLink nameserver), and a smattering from
157.130.182.213 (another WorldCom backbone router in Palo Alto).  We are a
WorldCom customer located in Park Ridge, Illinois; the routers in question
are not very distant but also not very close.  I don't understand the
mechanism by which a router would generate ICMP Host Unreachable messages
destined for IP addresses which are not in use, so if any one has any
enlightening comments, I would appreciate it.  Is this a scan of some sort?

We were also scanned for open mail servers from 63.144.237.193 during the
same time period, which may or may not be related.  63.144.237.193 is
registered to a faceless company called "Your Info Inc" so I'm guessing this
was a "mass email marketer" searching for open relays either with or without
the consent of this organization.  Their registered contact address does not
resolve, and I am not going to waste my time writing to QWest.

Kelly




More information about the list mailing list