Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

New OWASP Testing guide version 4! Check

Strange ICMP traffic seen in destination

Published: 2014-09-20
Last Updated: 2014-09-20 15:45:51 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
0 comment(s)

Reader Ronnie provided us today a packet capture with a very interesting situation:

  1. Several packets are arriving, all ICMP echo request from unrelated address:
    ICMP sources
  2. All ICMP packets being sent to the destination address does not have data, leaving the packet with the 20 bytes for the IP header and 8 bytes for the ICMP echo request without data
    ICMP data
  3. All the unrelated address sent 6 packets: One with normal TTL and 5 with incremental TTL:
    6 ICMP packets for each destination

Seems to be those packets are trying to map a route, but in a very particular way. Since there are many unrelated IP addresses trying to do the same, maybe something is trying to map routes to specific address to do something not good. The destination IP address is an ADSL client.

Is anyone else seeing these kind of packets? If you do, we definitely want to hear from you. Let us know!

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Strange ICMP traffic seen in destination
published 12 hours ago by Manuel Humberto Santander Pelaacuteez (0 comments)

PHP Fixes Several Bugs in Version 5.4 and 5.5
published 1 day ago by Guy (0 comments)

Web Scan looking for /info/whitelist.pac
published 2 days ago by Guy (3 comments)

Apple Phishing emails
published 2 days ago by Mark (0 comments)

Your online background check is now public!
published 3 days ago by Daniel (6 comments)

FreeBSD Denial of Service advisory (CVE-2004-0230)
published 4 days ago by Mark (1 comment) -- TLD confusion starts!
published 4 days ago by Daniel (5 comments)

Google DNS Server IP Address Spoofed for SNMP reflective Attacks
published 5 days ago by Dr. J. (14 comments)

Even Bad Malware Works
published 5 days ago by Dr. J. (3 comments)

SSDEEP update
published 6 days ago by Jim (0 comments)

View All Diaries →

Latest Discussions

XSS vulnerability in opencms v9.0.1 workplace
created 1 day ago by Murali (0 replies)

RSS feeds broken in Sage
created 2 weeks ago by Madmanguruman (0 replies)

Brown Breach.. . UPS
created 3 weeks ago by ICI2Eye (0 replies)

So, how dead is antivirus exactly?
created 1 month ago by Safensoft (3 replies)

recommender system for network intrusion detection
created 1 month ago by BiSarfraz (2 replies)

View All Forums →

Latest News

View All News →