Larry, Using an ICMP Echo request with a code field different than zero can be a scan attempt. If the targeted host answers and with the reply the code is changed to zero than the targeted host belongs to the Microsoft Windows based operating systems. This is an Active OS fingerprinting method I have discoverd few months ago. You can find more about if you'll read my research paper "ICMP Usage In Scanning" available from http://www.sys-security.com Ofir Arkin Founder The Sys-Security Group http://www.sys-security.com ----- Original Message ----- From: "E. Larry Lidz" <ellidzat_private> To: <incidentsat_private> Sent: Thursday, May 24, 2001 7:56 PM Subject: ICMP 8.255? > > On a recent scan of our network, we saw ICMP echo requests coming in > with the ICMP code set to 255. As it's normally supposed to be set to > zero (and I can't recall ever having seen a non-zero code on an echo > request), I'm assuming that this was some sort of constructed packet. > Anyone else seen this before? > > Of course, it's possible it's some sort of new DoS attack, though we > didn't have any reports of machines crashing because of it. > > -Larry > > --- > E. Larry Lidz Phone: (773)702-2208 > Sr. Network Security Officer Fax: (773)702-0559 > Network Security Center, The University of Chicago > PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml
This archive was generated by hypermail 2b30 : Fri May 25 2001 - 11:58:30 PDT