Frank, What you see here is probably a 'decoy scan'. A decoy scan is a type of scan, which involves multiple IP addresses, which are fed to the network-scanning tool as decoys. The real IP address of the malicious computer attacker (or a machine he controls) will be among those. An IP or IPs from your IP range where used to scan a site. Since the Host the scan was trying to reach is not alive on the wire, this means it did not answer the ARP request the last hop router issued, the router have issued an ICMP Host Unreachable error message back to the IP address that was trying/attempting to scan. Because one of your IPs was among the IPs that were being used for the decoy scan, you received one of these messages. Now, this is NOT a ping scan. A ping scan is where you see ICMP Echo Requests... not ICMP Host Unreachables. For more on the subject you can see my paper "ICMP Usage in Scanning", available from: http://www.sys-security.com/html/projects/icmp.html Especially Chapter 5 (5.3) For ICMP Protocol Rule Base for Snort see: http://www.sys-security.com/archive/snort/icmp_rules/ICMP_basic_plus Hope this helps Ofir Arkin [ofir@sys-security.com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: Frank Knobbe [mailto:FKnobbeat_private] Sent: ב 17 ספטמבר 2001 6:52 To: incidentsat_private Subject: Ping Scan -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, can anyone identify following Ping Scan tool? I usually get a few of those 'ICMP unreachables' (supposedly coming some IP's that don't exist/don't have servers). However, over the last few days I've seen a drastic increase. Anyone seeing the same? Regards, Frank [**] Ping Scan [**] 09/14-21:42:32.798231 204.255.169.37 -> x.x.x.x ICMP TTL:247 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:1 DESTINATION UNREACHABLE: HOST UNREACHABLE ** ORIGINAL DATAGRAM DUMP: x.x.x.x:23547 -> 202.46.194.5:32165 TCP TTL:188 TOS:0x8 ID:30922 IpLen:20 DgmLen:40 Seq: 0x74832EB6 Ack: 0x10BDC00C ** END OF DUMP 00 00 00 00 45 08 00 28 78 CA 40 00 BC 06 78 CA ....E..(x.@...x. xx xx xx xx CA 2E C2 05 5B FB 7D A5 74 83 2E B6 Aj......[.}.t... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+ -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME (X.509) encrypted email preferred. iQA/AwUBO6WBaZytSsEygtEFEQL+4ACgy9+gy/XCiCGNj9+uffQOuiwsKusAn3bF Fwl8Lkco5Mwsh9UJWA5UXjCY =FT0J -----END PGP SIGNATURE----- ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 17 2001 - 09:39:17 PDT