[Dshield] Sanity check

Esler, Joel - Contractor joel.esler at rcert-s.army.mil
Wed Oct 13 13:02:48 GMT 2004

What would be the point of an unsolicited ICMP time exceeded in transit?
I am receiving ICMP time exceeded in transit messages for (what the box
is reporting as) 

"x.x.x.x.22042 > [no cksum] udp 808 [ttl 1] (id
56983, len 836) [tos 0xc0]  (ttl 245, id 40778, len 56)"

What would the point be in this?  Fingerprinting?  I did see several
attempts to different subnets, specific IP's and broadcast...  I am
guessing just to see what will get past the ACL's.  But... A one way
error message would not receive a response... And no responses were
noted...  No outbound traffic was noted...

Joel Esler, GCIA

More information about the list mailing list