[Snort-users] ICMP alerts

Jan Muenther jan at ...206...
Mon Sep 11 08:54:38 EDT 2000


I need some advice.

I repeatedly receive two subsequent ICMP packages from one host.
One is a large ECHO packet, the other one is an ICMP source
quench message. 
The frequency is not quite high enough to consider this a
DoS-attack... even my 128kbps-line can deal with these two every
few hours... ;o))

Like this:

[**] IDS246 - MISC - Large ICMP Packet [**]
09/09-07:01:52.042189 -> xx.xxx.x.xxx
ICMP TTL:241 TOS:0x0 ID:41985  DF
ID:48282   Seq:61662  ECHO

[**] ICMP Source Quench [**]
09/09-07:01:52.216006 -> xx.xxx.x.xxx
ICMP TTL:241 TOS:0x0 ID:41987  DF

Still, I ask myself what this may be. The IP obviously belongs to
a webserver from the Brandenburg government. An email remained
unreplied so far. 
Any clues as to what this might be? Is someone trying to DoS them
and spoofing our address...??

Cheers, Jan

Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...

More information about the Snort-users mailing list