Howdy,

Although that's annoying, it's not going to hurt anything. Whoever's
doing it can't gain any information from this activity. By itself it's
not a threat. However, it could be intended as a distraction from other
activity against your net.

s.b -> azimuth

On Fri, Jan 05, 2001 at 11:22:48PM -0600, Glenn Forbes Fleming Larratt wrote:
> We're seeing increasing numbers of the traffic represented below - a
> large amount of ICMP 3/1's, spoofed as being from a router port in a
> major tier 1 or 2, all across our network.
>
> I'm particularly curious about the groups of 119. "my.net" below is, of
> course, our class B, which is subnetted at 8 bits; in every instance where
> 119 (sometimes 118) packets are sent at once, the target is on an
> unallocated subnet, to which traceroutes would !X out - but not all
> unallocated subnets generate the large slew of packets.
>
> Has anyone else seen this? Is this a threat? Any info gratefully received.
>
> -g
>
> --
> Glenn Forbes Fleming Larratt The Lab Ratt (not briggs :-)
> glrattio.com http://www.io.com/~glratt
> There are imaginary bugs to chase in heaven.
>
> ---------- Forwarded message ----------
> Jan 5 01:04:46 icmp BAD.GUY.NET.NODE -> my.net.76.19 (3/1), 119 packets
> Jan 5 01:05:00 icmp BAD.GUY.NET.NODE -> my.net.92.8 (3/1), 1 packet
> Jan 5 01:05:09 icmp BAD.GUY.NET.NODE -> my.net.185.13 (3/1), 1 packet
> Jan 5 01:05:11 icmp BAD.GUY.NET.NODE -> my.net.150.55 (3/1), 1 packet
> Jan 5 01:05:21 icmp BAD.GUY.NET.NODE -> my.net.82.13 (3/1), 1 packet
> Jan 5 01:05:33 icmp BAD.GUY.NET.NODE -> my.net.229.60 (3/1), 1 packet
> Jan 5 01:06:00 icmp BAD.GUY.NET.NODE -> my.net.37.20 (3/1), 1 packet
> Jan 5 01:06:02 icmp BAD.GUY.NET.NODE -> my.net.149.87 (3/1), 1 packet
> Jan 5 01:06:19 icmp BAD.GUY.NET.NODE -> my.net.148.93 (3/1), 1 packet
> Jan 5 01:06:27 icmp BAD.GUY.NET.NODE -> my.net.110.125 (3/1), 1 packet
> Jan 5 01:06:33 icmp BAD.GUY.NET.NODE -> my.net.122.92 (3/1), 1 packet
> Jan 5 01:06:36 icmp BAD.GUY.NET.NODE -> my.net.152.51 (3/1), 1 packet
> Jan 5 01:07:34 icmp BAD.GUY.NET.NODE -> my.net.207.94 (3/1), 1 packet
> Jan 5 01:07:50 icmp BAD.GUY.NET.NODE -> my.net.136.125 (3/1), 119 packets
> Jan 5 01:07:54 icmp BAD.GUY.NET.NODE -> my.net.248.14 (3/1), 1 packet
> Jan 5 01:07:56 icmp BAD.GUY.NET.NODE -> my.net.246.107 (3/1), 1 packet
> Jan 5 01:08:01 icmp BAD.GUY.NET.NODE -> my.net.11.85 (3/1), 119 packets
> Jan 5 01:08:07 icmp BAD.GUY.NET.NODE -> my.net.79.4 (3/1), 119 packets
> Jan 5 01:08:15 icmp BAD.GUY.NET.NODE -> my.net.133.39 (3/1), 1 packet
> Jan 5 01:08:32 icmp BAD.GUY.NET.NODE -> my.net.202.96 (3/1), 1 packet
> Jan 5 01:08:36 icmp BAD.GUY.NET.NODE -> my.net.139.109 (3/1), 119 packets
> Jan 5 01:08:38 icmp BAD.GUY.NET.NODE -> my.net.184.46 (3/1), 119 packets
> Jan 5 01:08:47 icmp BAD.GUY.NET.NODE -> my.net.92.49 (3/1), 1 packet
<rip>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]