I am seeing ICMP type 12 packets being returned to my network from various locations across the Internet. The weird thing is that the IPs on our side are do not seem to be active. I'm wondering if this is some strange sort of exploit or just a misconfigured device somewhere. ICMP Type 12 is a parameter problem. If you look at the Options field under ICMP, you will see that this appears to be a SNMP packet from our box to 192.168.10.2. We are running both registered and RFC 1918 addresses. We have logged about 1400+ packets since May, when they first appeared. They are destined for 386 unique IPs in our network, across 4 subnets. The following networks are returning the ICMP packets: 217.128.205.90 France Telecom IP2000 ADSL BAS wanadoo.fr 216.206.52.1 Outlook Technologies, Inc. 212.13.116.173 Phil Communications, Russia 209.134.172.25 ISS.NET 194.177.33.24 BCN Servicios Telematicos, Spain 193.163.87.30 Nord Data Network, Denmark 172.22.8.2 Internet Assigned Numbers Authority 172.22.2.1 Internet Assigned Numbers Authority 159.76.128.125 San Diego Gas and Electric 80.11.93.160 France Telecom, IP2000-ADSL-BAS, Wanadoo Interactive 205.226.19.193 Ipsilon Networks, Inc Anyone seen anythign like this before? Thoughts? Comments? Thanks, Marc Here is the sample ICMP packet: Internet Protocol, Src Addr: 172.22.2.1 (172.22.2.1), Dst Addr: x.x.x.x (x.x.x.x) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 68 Identification: 0x7fba Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 240 Protocol: ICMP (0x01) Header checksum: 0x6639 (correct) Source: 172.22.2.1 (172.22.2.1) Destination: x.x.x.x (x.x.x.x) Internet Control Message Protocol Type: 12 (Parameter problem) Code: 0 (IP header bad) Checksum: 0x2fd3 (correct) Pointer: 20 Internet Protocol, Src Addr: x.x.x.x (x.x.x.x), Dst Addr: 192.168.10.2 (192.168.10.2) Version: 4 Header length: 32 bytes Differentiated Services Field: 0x50 (DSCP 0x14: Assured Forwarding 22; ECN: 0x00) 0101 00.. = Differentiated Services Codepoint: Assured Forwarding 22 (0x14) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 1262 Identification: 0x1ee7 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 43 Protocol: UDP (0x11) Header checksum: 0x79b0 (correct) Source: x.x.x.x (x.x.x.x) Destination: 192.168.10.2 (192.168.10.2) Options: (12 bytes) Unknown (0x3d) (option length = 226 bytes says option goes past end of options) User Datagram Protocol, Src Port: 21676 (21676), Dst Port: snmp (161) Source port: 21676 (21676) Destination port: snmp (161) Length: 1230 Checksum: 0x5611 Simple Network Management Protocol _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 11:51:19 PDT