At 01:53 AM 10/22/2002, jeffat_private wrote: >I am looking for help concerning some unusual ICMP traffic I am seeing. >Specifically, I am seeing inbound ICMP (type 38 code 37) with some unusual >data in the ICMP data field (see below). I am seeing multiple source IP's >(outside) to multiple destination IP's (inside). All the source IP's have >ttl's of the low 100's or in the 40 range. This could indicate possible >spoof source from two different locations. > >I have been seeing alot of "http" type data and more recently the "reverse >connect to me" message within the ICMP data field. > >Has anyone seen this type of ICMP traffic? Paul Vixie reports that some of the traffic that was directed at the DNS root servers during the recent DDoS attempt consisted of unusual ICMP packets with spoofed addresses. I wonder if you're seeing the same tool that was used in the attacks. --Brett Glass ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 22 2002 - 20:18:31 PDT