Security Incidents mailing list archives
Re: odd ICMP Traffic - TSR scan
From: Joe Matusiewicz <joem () NIST GOV>
Date: Thu, 15 Mar 2001 11:28:56 -0500
At 05:47 PM 3/14/01, Russell Fulton wrote:
Yesterday we detected a series of ICMP TimeStamp Request to appearently random addresses in our network. Some address were probed more than once (up to 4 times). About 120 addresses were probed over 10 minutes, no other traffic seen from that source address. Most of the addresses probed were inactive. I have written to sidinet.com and their ISP asking for an explaination. So far I have had standard acknowledgement of receipt from the ISP. Anyone got any idea what this was in aid of?
I'll take a swag at it. It could be network mapping by using TSRs instead of pings. TSRs also include the sender's timestamp, the time the destination received the packet, and the time the destination host returned the packet. I've heard it's possible to compute the round trip time this way although it's said to not be very accurate. I'm not sure why they would try to do this (some new server load balancing scheme?). That's my best guess...although I could be way off base. -- Joe
Current thread:
- odd ICMP Traffic - TSR scan Russell Fulton (Mar 14)
- Re: odd ICMP Traffic - TSR scan Joe Matusiewicz (Mar 15)