[Dshield] Strange ICMP traffic (many Host Unreachables, rando m destinations )

Kelly Martin kellym at fb00.fb.org
Mon Mar 18 15:51:21 GMT 2002


I know what Host Unreachable means.  What I do not understand is why a
WorldCom router would generate Host Unreachable messages directed to IPs
that are not in use; there is no way our network would have emitted any
packets sourced with some of the IP addresses that were targeted.
Necessarily, these packets are spurious, and due to the large volume of them
I suspect that some sort of weirdness is going on and I was wondering if
anyone had any ideas as to what. 

Basically, why would someone send packets with random spoofed addresses
drawn from the entirety of a single subnet to someone else's router?  Is
this an attempted reflection attack?  

Kelly

> -----Original Message-----
> From:	Richard  Golodner [SMTP:RGolodner at Aetea.com]
> Sent:	Monday, March 18, 2002 9:09 AM
> To:	'list at dshield.org'
> Subject:	RE: [Dshield] Strange ICMP traffic (many Host Unreachables,
> random destinations )
> 
> 	Kelly, the ICMP messages you are getting are just what they say they
> are "Host Unreachable", because it does not exist on that wire. Perhaps
> you
> may want to talk to security at UUNET/MCI. They have been very helpful in
> the past. Please contact me off list and I will forward my security
> contacts
> to you.
> 						Rich
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list.




More information about the list mailing list