Re: strange icmp packets.

[Bill_Royds () pch gc ca]

I have been noticing these too. We have a valid class B behind our firewall but
many IP's are not in use and our firewall replaces all internal IP numbers by
its external NIC. We get many ICMP errors trying to return to these internal IP
numbers. Often when you look at the internal contents of ICMP, it is packets
with our addresses and source port just above 1024 and the destination addresses
dialup lines or shell accounts and destination ports 80 or 113 or 79 (common
services). The ack bit is set as if
they are spoofing return packets for likely open sessions.





Darren Reed <avalon () coombs anu edu au> on 99-03-17 02:59:20 AM

Please respond to Darren Reed <avalon () coombs anu edu au>

To:   firewall-wizards () nfr net
cc:    (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject:  strange icmp packets.





Amongst the meabytes of log information that I'm seeing on a firewall
are icmp error packets being sent back to hosts which don't and have
never existed.  I assume others are seeing the same.  Has anyone
looked closer at this and decided it's either replies to spoof'd
packets being sent with their address or is someone trying to scan
using ICMP error packets ?!  The latter seems somewhat strange to me
as you're not meant to reply to those (I'm refering to unreachables
and quenches here).

Darren

Attachment: att1.eml
Description: