I think Nebulus is on the $, these could very well be forged packets. Some strange things are happening here. We have ICMP packets from 2 totally seperate source IPs. Both packets are code 13. Which SHOULD mean a router wont route them so the ICMP source IP must be a router, except they both appear to be from(sez arin) Canadian ISPs(which you said was not in traceroute). Also, not sure if it matters but the TTL time on both ICMP packets from different ip's are almost identical(2 hops difference).The Canadian ISP seems to have a big spam problem, dont know if its related to this but probably worth checking if there's spoofing afoot. More packets would be great if you have them.
nebulus,Originally posted here by nebulus200
two, they are nmapping 220.127.116.11 (or something to that effect) and 18.104.22.168 is along THEIR routepath and they are using nmap in decoy mode with your web server as the source. /nebulus
Exactly along the lines I was thinking. Notice one of the destination IPs (From the dump of a packet supposedly originating from 172.24.x.x)which generates the ICMP was a mail server. Maybe a spammer is spoofing with 172.24.x.x as the spoofed source IP and confusing a router(who ICMPs) along the real route from the spammer? I know the ports dont add up but its the only thing I can think of without more information. Any thoughts?