[Dshield] Strange ICMP traffic (many Host Unreachables, rando m destinations )

Kelly Martin kellym at fb00.fb.org
Mon Mar 18 16:26:44 GMT 2002


If this was an attempted reflection attack, it was highly ineffective.  1024
packets over the course of six and a half hours?

I just checked: the distribution is not uniform; some IPs have more hits
than others, and there are some that were omitted.  Also, because our
firewall normally permits icmp type 3 packets to pass through, packets
targetted to addresses with static mappings in the firewall were neither
blocked nor logged by the firewall.  

Kelly

> -----Original Message-----
> From:	Tom Geairn [SMTP:tgeairn at newviewconsulting.com]
> Sent:	Monday, March 18, 2002 9:57 AM
> To:	list at dshield.org
> Subject:	RE: [Dshield] Strange ICMP traffic (many Host Unreachables,
> random destinations )
> 
>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Kelly-
> 
> Another alternative explanation is that you were either the target
> of, or an unwitting bystander to, a DDOS attack.  
> 
> Say I spoofed one of your addresses (or even worse, your "broadcast"
> address) and sent pings to some address behind one of the routers you
> listed.  Since I used your address to send the packet, the
> host-unreachable would come back to you, not me.  If I had a hundred
> machines all doing this, the host-unreachable messages coming back at
> you from all directions could cause havoc.  
> 
> It is not unknown to use something like this to overwhelm admins or
> intrusion detection systems while another, more precise, attack is
> going on...  such as hunting for a vulnerable SMTP host.  It wouldn't
> make much sense to use this to hide a scan for on open relay though,
> as that's such a quick scan.
> 
> - -Tom Geairn
> NewView Consulting, LLC
> 
> 
> 




More information about the list mailing list