From owner-freebsd-security  Sat Oct 21  3: 5:18 2000
Delivered-To: freebsd-security@freebsd.org
Received: from des.thinksec.com (isdn-25.follo.net [195.204.140.114])
	by hub.freebsd.org (Postfix) with ESMTP id 694C837B4C5
	for <freebsd-security@FreeBSD.ORG>; Sat, 21 Oct 2000 03:05:15 -0700 (PDT)
Received: (from des@localhost)
	by des.thinksec.com (8.11.1/8.11.1) id e9LA4pP31771;
	Sat, 21 Oct 2000 12:04:51 +0200 (CEST)
	(envelope-from des@thinksec.com)
X-URL: http://www.ofug.org/~des/
To: "Chris" <mlnn4@oaks.com.au>
Cc: <freebsd-security@FreeBSD.ORG>
Subject: Re: Unexpected ICMP messages - is someone spoofing my subnet?
References: <007701c03b26$10c42560$023a1dac@dsat.net.au>
From: Dag-Erling Smorgrav <des@thinksec.com>
Date: 21 Oct 2000 12:04:51 +0200
In-Reply-To: "Chris"'s message of "Sat, 21 Oct 2000 17:13:40 +1100"
Message-ID: <xzp1yxase64.fsf@des.thinksec.com>
Lines: 13
User-Agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

"Chris" <mlnn4@oaks.com.au> writes:
> Basically, I am getting perhaps 50 or 100 ICMP messages per day for a
> number (more than 30) of IP addresses that have never at any time been
> used by me.

Somebody is running a DOS attack with spoofed source addresses, with a
different address for every packet (router meltdown...) What you're
seeing is the victim replying to spoofed packets that happen to have
one of your IPs as source address.

DES
--=20
Dag-Erling Sm=F8rgrav - des@thinksec.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message