Hi

We have seen this behaviour sporadically for the last year or so.
It would appear to be an inverse-mapping tool (mapping unreachable
hosts, so mapping 'real' hosts by default) or a tool for mapping
routers. The ICMP reply packets are usually forged, with the 'real'
originator in the payload of the packet, rather than the header.

It can be quite simply stopped with a sensibly configured firewall.

Hoping that this helps,

Robert

Robert Turner
Technical Manager

Ignite Solutions - Secure Business Services
T: +44 (0)113 244 5951 F: +44 (0)113 244 5285
Robert.D.Turnerbt.com

> -----Original Message-----
> From: Boothman [mailto:boothman_7YAHOO.COM]
> Sent: 02 April 2001 20:38
> To: FOCUS-IDSSECURITYFOCUS.COM
> Subject: Strange echo-requests
>
>
> I have an interesting situation. There are some echo
> requests apparently sourcing from my network with the
> fourth octet as zero heading out to the same IP
> address. It seems to be randomly sourcing the third
> octet. Has anyone seen this activity before or have
> any clue?
>
> The site it is destined for is a Romanian site.
>
>
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/?.refer=text
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]