Weird stuff--AIM related?

[Dan <dan@burkegroup.com>]

This morning I found some strange activity in my firewall 
logs: (eth1 is our internal, trusted interface.  We use all 
RFC1918 addresses on the internal I/F)

08/05 07:42:25    * 0   deny   out  eth1    icmp 
152.201.116.255    204.167.22.152     3       3       (spoofed 
source address) 

08/05 07:42:29    * 0   deny   out  eth1    icmp 
152.201.116.255    204.167.22.48      3       3       (spoofed 
source address) 

08/05 07:42:44    * 0   deny   out  eth1    icmp 
152.201.116.255    199.72.55.80       3       3       (spoofed 
source address) 

We do have users with the AOL instant messenger installed.

I have looked up the source address-- it is:
98C974FF.ipt.aol.com

The destination addresses are owned by IDG International 
Publishing and NC Electric Membership Cooperation.


Now, I understand that ICMP 3 is destination host 
unreachable.  So it would stand to reason that the three 
destination hosts at some point tried to access the AOL 
address. 

Our firewall is configured to allow no incoming traffic, so I 
don't see how these hosts could be on our internal network.  
We have a relatively small shop, and I don't think anyone 
would even know how to change their IP, let alone have a 
reason to.

So, is this something anyone else has seen?  I have a 
suspicion that it is related to the AIM client, seeing that all 
three packets came from an AOL address space. (BTW, this 
particular area of space is where the AIM client connects).

Is this an indication that someone has 'broken' the AIM 
client?  I'd love any insight to this weirdness.

Thanks a lot,

Dan Lenhard
Systems Admin
dl@burkegroup.com
-
[To unsubscribe, send mail to majordomo@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]