Security Incidents mailing list archives

Strange ICMP timestamp replies

From: Florian Weimer <Florian.Weimer () RUS UNI-STUTTGART DE>
Date: Tue, 16 Jan 2001 13:51:41 +0100

We have observed some strange network packets:

08:42:45; DENY; icmp; $SOURCE1; 14 (); $DEST.23; 0 ();
08:46:55; DENY; icmp; $SOURCE1; 14 (); $DEST.18; 0 ();
08:41:26; DENY; icmp; $SOURCE1; 14 (); $DEST.99; 0 ();
08:46:53; DENY; icmp; $SOURCE1; 14 (); $DEST.18; 0 ();
19:18:49; DENY; icmp; $SOURCE2; 14 (); $DEST.21; 0 ();

($DEST.* is in our network.)

These are ICMP timestamp replies, I think.  Does anybody know why
somebody sends such packets?  You can hardly do OS fingerprinting
using ICMP timestamp replies.

Is there any DoS attack involving spoofed ICMP timestamp requests (so
that we're getting the answers of the victim)?

--
Florian Weimer                    Florian.Weimer () RUS Uni-Stuttgart DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

Current thread:

Strange ICMP timestamp replies Florian Weimer (Jan 16)
- Re: Strange ICMP timestamp replies Jose Nazario (Jan 16)
- Message not available
  - Re: Strange ICMP timestamp replies Florian Weimer (Jan 16)