Security Incidents mailing list archives

strange ICMP traffic?

From: Kevin van Haaren <kevinv () HOCKEY NET>
Date: Sun, 3 Dec 2000 09:26:47 -0600

Perhaps someone can help me understand what's showing up in my logs.
My firewall is showing a number of blocked ICMP packets as shown
below.  A machine on an IP address right next to mine doesn't show
this traffic so it appears to be targeted at me (I can't imagine why,
this is just a home network).  Since the sending machines are using
Parameter 8, to Parameter 0 on my machine this is a ping response
(echo reply)?  Or is it requesting a ping reply from my machine?

Times are GMT -6
Dec  2 22:43:21 wakko kernel: Packet log: input DENY eth1 PROTO=1
146.101.78.130:8 <fw>:0 L=84 S=0x00 I=23942 F=0x0000 T=50 (#177)
Dec  2 22:43:21 wakko kernel: Packet log: input DENY eth1 PROTO=1
193.214.57.194:8 <fw>:0 L=84 S=0x00 I=55656 F=0x0000 T=51 (#177)
Dec  2 22:43:21 wakko kernel: Packet log: input DENY eth1 PROTO=1
38.144.121.2:8 <fw>:0 L=84 S=0x00 I=35586 F=0x0000 T=51 (#177)
Dec  2 22:43:21 wakko kernel: Packet log: input DENY eth1 PROTO=1
209.155.224.130:8 <fw>:0 L=84 S=0x00 I=14292 F=0x0000 T=54 (#177)
Dec  2 22:43:21 wakko kernel: Packet log: input DENY eth1 PROTO=1
209.83.178.130:8 <fw>:0 L=84 S=0x00 I=53725 F=0x0000 T=54 (#177)
Dec  2 22:43:21 wakko kernel: Packet log: input DENY eth1 PROTO=1
63.236.103.130:8 <fw>:0 L=84 S=0x00 I=6679 F=0x0000 T=52 (#177)
Dec  2 22:43:21 wakko kernel: Packet log: input DENY eth1 PROTO=1
216.6.49.9:8 <fw>:0 L=84 S=0x00 I=4905 F=0x0000 T=55 (#177)
Dec  2 22:43:21 wakko kernel: Packet log: input DENY eth1 PROTO=1
202.160.241.130:8 <fw>:0 L=84 S=0x00 I=12589 F=0x0000 T=48 (#177)
Dec  2 22:43:21 wakko kernel: Packet log: input DENY eth1 PROTO=1
211.2.249.194:8 <fw>:0 L=84 S=0x00 I=63305 F=0x0000 T=49 (#177)
Dec  2 22:43:22 wakko kernel: Packet log: input DENY eth1 PROTO=1
202.144.78.2:8 <fw>:0 L=84 S=0x00 I=11481 F=0x0000 T=52 (#177)

This is one wave.  Same IP's (although I saw similar behavior from a
different set of IP's a day or so ago).  It goes on for a few minutes
then stops.

I've run down the IP's via whois to belong to:
146.101.78.130 - psinet-uk
193.214.57.194 - nobody?
38.144.121.2 - psinet
209.155.224.130 - crl.com
209.83.178.130 - savvis communications
63.236.103.130 - Speedera Networks
216.6.49.9 - Speedera Networks
202.160.241.130 - ConnectPlus Singapore
211.2.249.194 - psinet-japan
202.144.78.2 - duponnet (India)

I've not reported this to them (if these are ping responses does that
mean someone may be spoofing my IP in a ping flood to these other
networks?).

Kevin

Current thread:

strange ICMP traffic? Kevin van Haaren (Dec 05)
- <Possible follow-ups>
- Re: strange ICMP traffic? Chris Tobkin (Dec 06)