[Snort-users] ICMP alerts

Jan Muenther jan at ...206...
Mon Sep 11 08:54:38 EDT 2000


Comrades,

I need some advice.

I repeatedly receive two subsequent ICMP packages from one host.
One is a large ECHO packet, the other one is an ICMP source
quench message. 
The frequency is not quite high enough to consider this a
DoS-attack... even my 128kbps-line can deal with these two every
few hours... ;o))

Like this:

[**] IDS246 - MISC - Large ICMP Packet [**]
09/09-07:01:52.042189 194.76.232.129 -> xx.xxx.x.xxx
ICMP TTL:241 TOS:0x0 ID:41985  DF
ID:48282   Seq:61662  ECHO

[**] ICMP Source Quench [**]
09/09-07:01:52.216006 194.76.232.129 -> xx.xxx.x.xxx
ICMP TTL:241 TOS:0x0 ID:41987  DF
SOURCE QUENCH



Still, I ask myself what this may be. The IP obviously belongs to
a webserver from the Brandenburg government. An email remained
unreplied so far. 
Any clues as to what this might be? Is someone trying to DoS them
and spoofing our address...??

Cheers, Jan

-- 
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...



More information about the Snort-users mailing list