[Dshield] Strange ICMP traffic (many Host Unreachables, random destinations )

Tom Geairn tgeairn at newviewconsulting.com
Mon Mar 18 15:57:25 GMT 2002


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kelly-

Another alternative explanation is that you were either the target
of, or an unwitting bystander to, a DDOS attack.  

Say I spoofed one of your addresses (or even worse, your "broadcast"
address) and sent pings to some address behind one of the routers you
listed.  Since I used your address to send the packet, the
host-unreachable would come back to you, not me.  If I had a hundred
machines all doing this, the host-unreachable messages coming back at
you from all directions could cause havoc.  

It is not unknown to use something like this to overwhelm admins or
intrusion detection systems while another, more precise, attack is
going on...  such as hunting for a vulnerable SMTP host.  It wouldn't
make much sense to use this to hide a scan for on open relay though,
as that's such a quick scan.

- -Tom Geairn
NewView Consulting, LLC


- -----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org] On
Behalf Of Kelly Martin
Sent: Monday, March 18, 2002 8:46 AM
To: 'list at dshield.org'; 'incidents at securityfocus.org'
Subject: [Dshield] Strange ICMP traffic (many Host Unreachables,
random destinations )

This past Sunday our firewall blocked ICMP Host Unreachable messages
from
various IPs to apparently every IP address on one of our four Class C
netblocks, in no particular order.  I haven't actually checked to
make sure
that every address was represented; many addresses were repeated and
no
order is apparent.  The list of addresses to which messages were sent
includes addresses allocated to no device at all or to devices not
configured with a valid default gateway (so they can't send packets
out of
the network even if they wanted to as they don't know how).

The source IPs are 204.255.168.85 (a WorldCom backbone router in
Sacramento), 144.232.9.154 (a SprintLink nameserver), and a
smattering from
157.130.182.213 (another WorldCom backbone router in Palo Alto).  We
are a
WorldCom customer located in Park Ridge, Illinois; the routers in
question
are not very distant but also not very close.  I don't understand the
mechanism by which a router would generate ICMP Host Unreachable
messages
destined for IP addresses which are not in use, so if any one has any
enlightening comments, I would appreciate it.  Is this a scan of some
sort?

We were also scanned for open mail servers from 63.144.237.193 during
the
same time period, which may or may not be related.  63.144.237.193 is
registered to a faceless company called "Your Info Inc" so I'm
guessing this
was a "mass email marketer" searching for open relays either with or
without
the consent of this organization.  Their registered contact address
does not
resolve, and I am not going to waste my time writing to QWest.

Kelly

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPJYOZMkak2XDABkdEQJpUgCgo+et2jkJvw71qPUaFmnHhviZTjsAmQFi
4YHWgtDEZmTHGAhj0kRtI9gH
=EA/l
-----END PGP SIGNATURE-----




More information about the list mailing list