[Dshield] Sanity check

Esler, Joel - Contractor joel.esler at rcert-s.army.mil
Wed Oct 13 13:02:48 GMT 2004


What would be the point of an unsolicited ICMP time exceeded in transit?
I am receiving ICMP time exceeded in transit messages for (what the box
is reporting as) 

"x.x.x.x.22042 > 216.240.184.97.1027 [no cksum] udp 808 [ttl 1] (id
56983, len 836) [tos 0xc0]  (ttl 245, id 40778, len 56)"

What would the point be in this?  Fingerprinting?  I did see several
attempts to different subnets, specific IP's and broadcast...  I am
guessing just to see what will get past the ACL's.  But... A one way
error message would not receive a response... And no responses were
noted...  No outbound traffic was noted...

Joel Esler, GCIA



More information about the list mailing list