[Dshield] ICMP Scanning (flood)

Eric Hines eric.hines at appliedwatch.com
Tue Mar 2 21:59:35 GMT 2004


All,

I am seeing a Windows server flood a network with ICMP packets of type 17 
(Netmask Request). See packet below. All of these packets are going out so fast 
that we're seeing 50-100 per second! Has anyone seen this ICMP type code used 
legitimately by any applications? More importantly, google has turned up 
nothing on worms that use this ICMP type, just an option in scanners/tools.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source IP:  10.40.48.250 
Source Port:  0 
Dest IP:  10.40.25.153 
Dest Port:  0 
Time:  03/02/2004 15:15 
Protocol:  icmp 
Count:  1 


IP HDR:   45 00 00 20 07 B2 00 00 01 01 53 49 0A 28 30 FA 0A 28 19 99 
ICMP HDR: 11 00 E6 04 01 49 07 B2
Data:     00 00 00 00

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Source         Dest           TimeStamp  
10.40.48.250   10.40.25.153   03/02/2004 15:15   
10.40.48.250   10.40.24.160   03/02/2004 15:15   
10.40.48.250   10.40.24.127   03/02/2004 15:15   
10.40.48.250   10.40.24.88   03/02/2004 15:15   
10.40.48.250   10.40.24.117   03/02/2004 15:15   
10.40.48.250   10.40.24.151   03/02/2004 15:15   
10.40.48.250   10.40.24.152   03/02/2004 15:15   
10.40.48.250   10.40.24.65   03/02/2004 15:15   
10.40.48.250   10.40.24.156   03/02/2004 15:15   
10.40.48.250   10.40.24.113   03/02/2004 15:15   
10.40.48.250   10.40.24.144   03/02/2004 15:15   
10.40.48.250   10.40.24.168   03/02/2004 15:15   
10.40.48.250   10.40.24.112   03/02/2004 15:15   
10.40.48.250   10.40.24.134   03/02/2004 15:15   
10.40.48.250   10.40.24.39   03/02/2004 15:15   
10.40.48.250   10.40.24.166   03/02/2004 15:15   
10.40.48.250   10.40.24.43   03/02/2004 15:15   
10.40.48.250   10.40.24.148   03/02/2004 15:15   
10.40.48.250   10.40.24.159   03/02/2004 15:15   
10.40.48.250   10.40.24.170   03/02/2004 15:15   
10.40.48.250   10.40.24.171   03/02/2004 15:15   
10.40.48.250   10.40.24.175   03/02/2004 15:15   
10.40.48.250   10.40.24.150   03/02/2004 15:15   
10.40.48.250   10.40.24.183   03/02/2004 15:15   
10.40.48.250   10.40.24.158   03/02/2004 15:15   
10.40.48.250   10.40.24.174   03/02/2004 15:15   
10.40.48.250   10.40.24.165   03/02/2004 15:15   
10.40.48.250   10.40.24.181   03/02/2004 15:15   
10.40.48.250   10.40.24.236   03/02/2004 15:15   
10.40.48.250   10.40.24.232   03/02/2004 15:15   
10.40.48.250   10.40.24.234   03/02/2004 15:15   
10.40.48.250   10.40.24.220   03/02/2004 15:15   
10.40.48.250   10.40.24.227   03/02/2004 15:15   
10.40.48.250   10.40.24.233   03/02/2004 15:15   
10.40.48.250   10.40.24.235   03/02/2004 15:15   
10.40.48.250   10.40.25.132   03/02/2004 15:15   
10.40.48.250   10.40.24.40   03/02/2004 15:15   



BRDS,
Eric Hines, GCIA
CEO, President
Applied Watch Technologies, Inc.



-------------------------------------------
Eric Hines, GCIA
CEO, Chairman
Applied Watch Technologies, Inc.
web: http://www.appliedwatch.com
email: eric.hines at appliedwatch.com
-------------------------------------------
Direct: (877) 262-7593 - Toll Free x327
Fax: (815) 425-2173
General: (877) 262-7593 (9am-5pm CST)
-------------------------------------------








More information about the list mailing list