Security Incidents mailing list archives
Possible ICMP DOS spoofed to Nameservers?
From: "Richard Gilman" <rgilman () myndzi com>
Date: Sun, 30 Dec 2001 10:47:06 -0800
I've been seeing ICMP Type 3 Code 13 messages coming from 2 sites and destine to our name servers. While doing a tcpdump I see no outbound packets with a destination directed toward the sites sending the ICMP unreachable messages. So I'm assuming that someone is spoofing the addresses of our name servers to ping flood the 2 sites. However we are only receiving the unreachable messages at a rate of approximately 5 to 10 per minute. What I find interesting is that only our name server addresses are being spoofed and those name servers are located on 2 entirely different class 'C' address space and at entirely different physical locations (same domain though). The packet traces show that the addresses sending the unreachable messages are most likely firewalls or border routers denying ICMP because the unreachable hosts are not the ones sending the unreachable messages. I started seeing messages from one site (Microsoft) at 2001/12/23-00:04:22 PST and the other site (Keesler Air Force Base) at 2001/12/28-07:17:11 PST and they are still going as I write this. Is anyone else seeing anything like this? Is there a DDOS currently going on that happens to cycle through a list of name servers as spoofed sources? Thanks, Rich ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Possible ICMP DOS spoofed to Nameservers? Richard Gilman (Dec 30)
- Re: Possible ICMP DOS spoofed to Nameservers? Ryan Russell (Dec 31)
- Re: Possible ICMP DOS spoofed to Nameservers? Gary Losito (Dec 31)