scans from

Dave Ellingsberg dave.ellingsberg at
Wed Feb 4 18:31:10 GMT 2004

This box was sending hundreds of ICMP (3.10) Destination Unreachable
Communication Administratively Prohibited packets to our networks.  We
have a class B and one C and part of another C.  It was scattering the
packets across all of our address space. 

The packet appears to be spoofed.  The original data suggests 4 hosts
receiving data on port 80 are being rejected by multiple hosts from our
domain.  We have confirmed unused addresses being targeted on our end,
in other words there is no host on our end to have tried a connection to
port 80 as implied in the data.

Our thought is this is someone trying to contact bots to phone home. 
There is some correlation of data to confirm this theory.  Some of the
targeted hosts have made contact on port 80 with the source host, as
shown in the ICMP data, apx 12 hours after the spoofed packet arrived on
our network.  Note this did not cause an ICMP (3.10).

We first noticed this in snort and confirmed it in netflow.

Anyone see this same attack or know more about the operation of it?


The above info is strictly my interpetation and does not reflect the
attitudes or opinions of my employers.  If this message contains
anything that may or may not reflect a proper legal opinion, please
consult higher authorities for a proper legal opinion!    

Dave Ellingsberg        WAN Specialist
Cell phone  1 507 381 2051 try my home number first
Home phone  1 507 354 8772
Bigfoot at
Ellingda at
Office Phone 507-354-8772
    It will be a great day when our schools have
    all the money they need and the Twins
     have to hold a bake sale to build a new stadium.

More information about the unisog mailing list