Security Incidents mailing list archives
Re: Tons of ping activity?
From: Pavel Kankovsky <peak () ARGO TROJA MFF CUNI CZ>
Date: Fri, 29 Dec 2000 18:39:50 +0100
On Thu, 28 Dec 2000, Steve Cody wrote:
Dec 27 16:19:26 brimstone kernel: Packet log: input DENY eth0 PROTO=1 207.239.230.33:11 255.255.255.255:0 L=56 S=0xC0 I=43238 F=0x0000 T=244
These datagrams are not pings (ICMP Echo) but ICMP Time Exceeded / TTL Count Exceeded (type 11, code 0). Suprisingly, I have observed something similar here, only the destination address was a little bit saner: Dec 27 02:46:51 kerberos2 kernel: IP dest[3] DENY eth1 ICMP 207.239.230.33:11 195.113.28.0:0 L=56 S=0xC0 I=44541 F=0x0000 T=242 Dec 27 02:49:34 kerberos2 kernel: IP dest[4] DENY eth1 ICMP 210.57.16.44:11 195.113.29.0:0 L=56 S=0xC0 I=64839 F=0x0000 T=238 Dec 27 03:00:06 kerberos2 kernel: IP dest[3] DENY eth1 ICMP 207.239.230.33:11 195.113.28.0:0 L=56 S=0xC0 I=51856 F=0x0000 T=242 Dec 27 03:02:20 kerberos2 kernel: IP dest[3] DENY eth1 ICMP 202.84.206.1:11 195.113.28.0:0 L=56 S=0xC0 I=35147 F=0x0000 T=239 It appears someone is polluting the Net with forged datagrams having short TTL and bogus source addresses, and those datagrams are bounced back to those forged addresses...this would explain the garbage intercepted by my own packet filter but how could datagrams addressed to 255.255.255.255 get to you is a mystery to me. (The routers sending them do not have a direct connection to your machine, do they?) Something really screwy must be taking place here. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Tons of ping activity? Steve Cody (Dec 28)
- Re: Tons of ping activity? Pavel Kankovsky (Dec 30)
- Re: Tons of ping activity? Rob (Dec 30)
- Re: Tons of ping activity? Pavel Kankovsky (Dec 30)