[Dshield] RE: ICMP Scanning (flood)

James C Slora Jr Jim.Slora at phra.com
Fri Mar 5 05:42:07 GMT 2004


Eric Hines wrote Tuesday, March 02, 2004 17:00

> I am seeing a Windows server flood a network with ICMP 
> packets of type 17 (Netmask Request). See packet below. All 
> of these packets are going out so fast that we're seeing 
> 50-100 per second! Has anyone seen this ICMP type code used 
> legitimately by any applications? More importantly, google 
> has turned up nothing on worms that use this ICMP type, just 
> an option in scanners/tools.

It does get used legitimately, but it shouldn't flood the network either.

Possibilities to consider:
- Netmask misconfiguration on either system
- NIC with outdated driver (I've seen similar on Intel Pro series, resolved
by update)
- Network boot configuration
- Other configuration or hardware issues

> Source IP:  10.40.48.250
> Source Port:  0
> Dest IP:  10.40.25.153
> Dest Port:  0
> Time:  03/02/2004 15:15
> Protocol:  icmp
> Count:  1 
> 
> 
> IP HDR:   45 00 00 20 07 B2 00 00 01 01 53 49 0A 28 30 FA 0A 28 19 99 
> ICMP HDR: 11 00 E6 04 01 49 07 B2
> Data:     00 00 00 00





More information about the list mailing list