[Dshield] Strange ICMP traffic (many Host Unreachables, random destinations )

Tom Geairn tgeairn at newviewconsulting.com
Mon Mar 18 17:29:24 GMT 2002


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kelly-

Yeah, that wouldn't hurt your router much.  Given the low volume,
it's more likely that either your addresses were part of a random set
used to attack someone else (not that your machines were part of the
attack, just the addresses), or that someone out there has
misconfigured their network or router with the same block of
addresses and can't figure out why it's not working.  I'm sure there
are plenty of other reasons as well, but those are the first two that
come to me.

You did not give the address of the subnet that is being hit, is it
anything that is likely to be accidentally used by someone else?  I
have seen problems when a client sets up their internal network using
globally routable addresses that don't belong to them and them
subsequently connects to the Internet (or when they change ISPs and
don't change their addressing).  

<RANT>
If the ISPs were doing their job, no packets would get routed that
shouldn't be.  Most ISPs do not do their job.  It's such a simple
matter for the ISP to set up an input filter on the router you
connect to and deny anything but your assigned block, but so few ISPs
do this.  Does anyone know if WorldCom filters traffic in this way
(at least)?  A few years ago, MCI did not and it was not at all
unusual to be getting hundreds of hits to my end of my (then VERY
expensive) T1 from 192.168.x.x addresses.  There is NO reason MCI
should have routed that traffic to anyone.  
</RANT>

- -Tom Geairn
NewView Consulting, LLC


- -----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org] On
Behalf Of Kelly Martin
Sent: Monday, March 18, 2002 10:27 AM
To: 'list at dshield.org'
Subject: RE: [Dshield] Strange ICMP traffic (many Host Unreachables,
random destinations )

If this was an attempted reflection attack, it was highly
ineffective.  1024
packets over the course of six and a half hours?

I just checked: the distribution is not uniform; some IPs have more
hits
than others, and there are some that were omitted.  Also, because our
firewall normally permits icmp type 3 packets to pass through,
packets
targetted to addresses with static mappings in the firewall were
neither
blocked nor logged by the firewall.  

Kelly



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPJYj88kak2XDABkdEQJdjwCdG/eNeU7paHcxzuXdd97gehbQQ+EAoPrw
ryKAgPA8xeJ4o3uHBIikFmP/
=bksx
-----END PGP SIGNATURE-----




More information about the list mailing list