Possible ICMP DOS spoofed to Nameservers?

["Richard Gilman" <rgilman () myndzi com>]

I've been seeing ICMP Type 3 Code 13 messages coming from 2 sites and
destine to our name servers. While doing a tcpdump I see no outbound
packets with a destination directed toward the sites sending the ICMP
unreachable messages. So I'm assuming that someone is spoofing the
addresses of our name servers to ping flood the 2 sites. However we are
only receiving the unreachable messages at a rate of approximately 5 to
10 per minute. What I find interesting is that only our name server
addresses are being spoofed and those name servers are located on 2
entirely different class 'C' address space and at entirely different
physical locations (same domain though). The packet traces show that the
addresses sending the unreachable messages are most likely firewalls or
border routers denying ICMP because the unreachable hosts are not the
ones sending the unreachable messages. I started seeing messages from
one site (Microsoft) at 2001/12/23-00:04:22 PST and the other site
(Keesler Air Force Base) at 2001/12/28-07:17:11 PST and they are still
going as I write this.

 

Is anyone else seeing anything like this?

 

Is there a DDOS currently going on that happens to cycle through a list
of name servers as spoofed sources?

 

Thanks,

Rich



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com