Re: Sparse ICMP/ACK Scans to Broadcast Addresses

[spb () MESHUGGENEH NET (Stephen P. Berry)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

lamont () icopyright com writes:

> On Fri, 5 May 2000, Stephen P. Berry wrote:

> > Over the past couple days, I've noticed an odd traffic pattern which
> > I haven't observed previously.  The pattern consists of two flavours
> > of traffic:
> >      -An ICMP_ECHO_REQUEST
> >      -An ACK

> That's an ACK ping, to detect machines that packet filter ICMP.  NMAP is
> one scanner that will do these kinds of scans.

Yes.  That's why I said I suspected it was a reconnaissance scan.  The
interesting thing isn't that this is an ICMP and ACK scan, it's that it
is:

        -Low volume
        -Only to broadcast addresses (apparently always x.y.z.255 and then
         x.y.z.127
        -Apparently originates on different networks[0]
        -Is directed at different networks (i.e., it isn't just a patient
         scan of a single hunk of address space)

In other words, the pattern I was asking if anyone else was seeing appears
to be a distinct flavour of ICMP/ACK scan---different enough from the
other sorts of scanning activity I routinely observe to be noteworthy.

- -Steve

- -----
0     And presumably a reconnaissance scan isn't going to use spoofed
      source addresses with this kind of volume.  So that suggests that
      either it's a tool that multiple people are using, or one person (or
      group) has a number of machines on different networks from which they
      are conducting this scan (or these scans).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5FmcDG3kIaxeRZl8RAtjKAJ9wjj0IEpXYFR5Srt8l0lQ7F9+vbwCeP4ET
wRz0Ih8kD7Ylh7JvUuAybpk=
=LoD8
-----END PGP SIGNATURE-----