I've been seeing ICMP Type 3 Code 13 messages coming from 2 sites and destine to our name servers. While doing a tcpdump I see no outbound packets with a destination directed toward the sites sending the ICMP unreachable messages. So I'm assuming that someone is spoofing the addresses of our name servers to ping flood the 2 sites. However we are only receiving the unreachable messages at a rate of approximately 5 to 10 per minute. What I find interesting is that only our name server addresses are being spoofed and those name servers are located on 2 entirely different class 'C' address space and at entirely different physical locations (same domain though). The packet traces show that the addresses sending the unreachable messages are most likely firewalls or border routers denying ICMP because the unreachable hosts are not the ones sending the unreachable messages. I started seeing messages from one site (Microsoft) at 2001/12/23-00:04:22 PST and the other site (Keesler Air Force Base) at 2001/12/28-07:17:11 PST and they are still going as I write this. Is anyone else seeing anything like this? Is there a DDOS currently going on that happens to cycle through a list of name servers as spoofed sources? Thanks, Rich ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Dec 30 2001 - 16:52:50 PST