Security Incidents mailing list archives
odd ICMP Traffic - TSR scan
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Thu, 15 Mar 2001 11:47:12 +1300
Yesterday we detected a series of ICMP TimeStamp Request to appearently random addresses in our network. Some address were probed more than once (up to 4 times). About 120 addresses were probed over 10 minutes, no other traffic seen from that source address. Most of the addresses probed were inactive. I have written to sidinet.com and their ISP asking for an explaination. So far I have had standard acknowledgement of receipt from the ISP. Anyone got any idea what this was in aid of? Cheers, Russell. We saw sidinet.com[216.122.85.4] talk to 48 ports/addresses(s) on Wed 14 Mar 2001 at 01:31 (UTC) -- Wed 14 Mar 2001 at 14:31 (NZDT) Connection rate approx 7 per minute 130.216.4.106.icmp - TSR 130.216.127.25.icmp - TSR 130.216.14.119.icmp - TSR 130.216.132.68.icmp - TSR 130.216.15.37.icmp - TSR 130.216.137.43.icmp - TSR 130.216.22.80.icmp - TSR 130.216.138.124.icmp - TSR 130.216.24.37.icmp - TSR 130.216.140.91.icmp - TSR 130.216.29.126.icmp - TSR 130.216.143.110.icmp - TSR 130.216.36.62.icmp - TSR 130.216.152.32.icmp - TSR 130.216.39.122.icmp - TSR 130.216.161.2.icmp - TSR 130.216.45.12.icmp - TSR 130.216.169.57.icmp - TSR 130.216.59.28.icmp - TSR 130.216.171.75.icmp - TSR 130.216.59.45.icmp - TSR 130.216.187.6.icmp - TSR 130.216.62.48.icmp - TSR 130.216.187.101.icmp - TSR 130.216.62.107.icmp - TSR 130.216.188.98.icmp - TSR 130.216.75.57.icmp - TSR 130.216.193.43.icmp - TSR 130.216.78.68.icmp - TSR 130.216.198.49.icmp - TSR 130.216.82.86.icmp - TSR 130.216.198.71.icmp - TSR 130.216.89.29.icmp - TSR 130.216.205.119.icmp - TSR 130.216.92.120.icmp - TSR 130.216.207.22.icmp - TSR 130.216.99.65.icmp - TSR 130.216.215.106.icmp - TSR 130.216.100.121.icmp - TSR 130.216.220.104.icmp - TSR 130.216.108.19.icmp - TSR 130.216.228.102.icmp - TSR 130.216.112.119.icmp - TSR 130.216.233.60.icmp - TSR 130.216.117.74.icmp - TSR 130.216.240.75.icmp - TSR 130.216.123.93.icmp - TSR 202.37.88.2.icmp - TSR Some sample packet traces were: Times UTC +1300 GPS synchronized 2001-03-14-14:34:40 icmp 216.122.85.4: -> 130.216.59.28: TSR 2001-03-14-14:34:44 icmp 216.122.85.4: -> 130.216.220.104: TSR 2001-03-14-14:35:02 icmp 216.122.85.4: -> 130.216.123.93: TSR 2001-03-14-14:35:21 icmp 216.122.85.4: -> 130.216.117.74: TSR 2001-03-14-14:35:24 icmp 216.122.85.4: -> 130.216.228.102: TSR 2001-03-14-14:35:31 icmp 216.122.85.4: -> 130.216.100.121: TSR 2001-03-14-14:35:35 icmp 216.122.85.4: -> 130.216.92.120: TSR 2001-03-14-14:35:35 icmp 216.122.85.4: -> 130.216.82.86: TSR 2001-03-14-14:35:37 icmp 216.122.85.4: -> 130.216.198.49: TSR 2001-03-14-14:35:39 icmp 216.122.85.4: -> 130.216.193.43: TSR 2001-03-14-14:35:40 icmp 216.122.85.4: -> 130.216.36.62: TSR 2001-03-14-14:35:42 icmp 216.122.85.4: -> 130.216.22.80: TSR 2001-03-14-14:35:43 icmp 216.122.85.4: -> 130.216.24.37: TSR 2001-03-14-14:35:55 icmp 216.122.85.4: -> 130.216.169.57: TSR 2001-03-14-14:35:59 icmp 216.122.85.4: -> 130.216.15.37: TSR 2001-03-14-14:36:35 icmp 216.122.85.4: -> 130.216.4.106: TSR 2001-03-14-14:36:40 icmp 216.122.85.4: -> 130.216.187.6: TSR 2001-03-14-14:36:49 icmp 216.122.85.4: -> 202.37.88.2: TSR 2001-03-14-14:36:51 icmp 216.122.85.4: -> 130.216.215.106: TSR 2001-03-14-14:37:12 icmp 216.122.85.4: -> 130.216.89.29: TSR
Current thread:
- odd ICMP Traffic - TSR scan Russell Fulton (Mar 14)
- Re: odd ICMP Traffic - TSR scan Joe Matusiewicz (Mar 15)