[Dshield] Strange ICMP traffic (many Host Unreachables, rando m destinations )
kellym at fb00.fb.org
Mon Mar 18 16:26:44 GMT 2002
If this was an attempted reflection attack, it was highly ineffective. 1024
packets over the course of six and a half hours?
I just checked: the distribution is not uniform; some IPs have more hits
than others, and there are some that were omitted. Also, because our
firewall normally permits icmp type 3 packets to pass through, packets
targetted to addresses with static mappings in the firewall were neither
blocked nor logged by the firewall.
> -----Original Message-----
> From: Tom Geairn [SMTP:tgeairn at newviewconsulting.com]
> Sent: Monday, March 18, 2002 9:57 AM
> To: list at dshield.org
> Subject: RE: [Dshield] Strange ICMP traffic (many Host Unreachables,
> random destinations )
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Another alternative explanation is that you were either the target
> of, or an unwitting bystander to, a DDOS attack.
> Say I spoofed one of your addresses (or even worse, your "broadcast"
> address) and sent pings to some address behind one of the routers you
> listed. Since I used your address to send the packet, the
> host-unreachable would come back to you, not me. If I had a hundred
> machines all doing this, the host-unreachable messages coming back at
> you from all directions could cause havoc.
> It is not unknown to use something like this to overwhelm admins or
> intrusion detection systems while another, more precise, attack is
> going on... such as hunting for a vulnerable SMTP host. It wouldn't
> make much sense to use this to hide a scan for on open relay though,
> as that's such a quick scan.
> - -Tom Geairn
> NewView Consulting, LLC
More information about the list