[Dshield] Strange ICMP traffic (many Host Unreachables, random destinations )
tgeairn at newviewconsulting.com
Mon Mar 18 15:57:25 GMT 2002
-----BEGIN PGP SIGNED MESSAGE-----
Another alternative explanation is that you were either the target
of, or an unwitting bystander to, a DDOS attack.
Say I spoofed one of your addresses (or even worse, your "broadcast"
address) and sent pings to some address behind one of the routers you
listed. Since I used your address to send the packet, the
host-unreachable would come back to you, not me. If I had a hundred
machines all doing this, the host-unreachable messages coming back at
you from all directions could cause havoc.
It is not unknown to use something like this to overwhelm admins or
intrusion detection systems while another, more precise, attack is
going on... such as hunting for a vulnerable SMTP host. It wouldn't
make much sense to use this to hide a scan for on open relay though,
as that's such a quick scan.
- -Tom Geairn
NewView Consulting, LLC
- -----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org] On
Behalf Of Kelly Martin
Sent: Monday, March 18, 2002 8:46 AM
To: 'list at dshield.org'; 'incidents at securityfocus.org'
Subject: [Dshield] Strange ICMP traffic (many Host Unreachables,
random destinations )
This past Sunday our firewall blocked ICMP Host Unreachable messages
various IPs to apparently every IP address on one of our four Class C
netblocks, in no particular order. I haven't actually checked to
that every address was represented; many addresses were repeated and
order is apparent. The list of addresses to which messages were sent
includes addresses allocated to no device at all or to devices not
configured with a valid default gateway (so they can't send packets
the network even if they wanted to as they don't know how).
The source IPs are 18.104.22.168 (a WorldCom backbone router in
Sacramento), 22.214.171.124 (a SprintLink nameserver), and a
126.96.36.199 (another WorldCom backbone router in Palo Alto). We
WorldCom customer located in Park Ridge, Illinois; the routers in
are not very distant but also not very close. I don't understand the
mechanism by which a router would generate ICMP Host Unreachable
destined for IP addresses which are not in use, so if any one has any
enlightening comments, I would appreciate it. Is this a scan of some
We were also scanned for open mail servers from 188.8.131.52 during
same time period, which may or may not be related. 184.108.40.206 is
registered to a faceless company called "Your Info Inc" so I'm
was a "mass email marketer" searching for open relays either with or
the consent of this organization. Their registered contact address
resolve, and I am not going to waste my time writing to QWest.
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
-----END PGP SIGNATURE-----
More information about the list