Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

unusual icmp behaviour

From: Federico Grau <grauf () RFA ORG>
Date: Thu, 24 Aug 2000 14:50:45 -0400
Hi folks,

We have seen some unusual icmp traffic blocked at our firewalls.  Below is an
excerpt from our logs.  This behaviour went on until 09:15:48 (214 seconds)
and 1700+ lines of logs later.  We see it once or twice a week.

What is more unusual is that 172.30.3.170 is an internal machine address, yet
it is being blocked on the external interface (eth1).  We are running
ip-masquerading on the router so I would not expect any internal addresses to
show up on the external interface.  The router is a linux floppy router
running a 2.2.16 version of the kernel.  I do not recognize the destination
address as anything of significance (nslookup shows wamu.toad.net ... looks
like some nt box running iis)

Is this mallicious?  Have we stopped it if so?o

thanks for your feedback,
donfede


Aug 23 09:12:14 samadhi-172 kernel: Packet log: output REJECT eth1 PROTO=1 172.30.3.170:3 209.150.117.11:3 L=56 S=0x00 
I=25096 F=0x0000 T=31 (#9)
Aug 23 09:12:14 samadhi-172 kernel: Packet log: output REJECT eth1 PROTO=1 172.30.3.170:3 209.150.117.11:3 L=56 S=0x00 
I=25352 F=0x0000 T=31 (#9)
Aug 23 09:12:14 samadhi-172 kernel: Packet log: output REJECT eth1 PROTO=1 172.30.3.170:3 209.150.117.11:3 L=56 S=0x00 
I=25608 F=0x0000 T=31 (#9)
Aug 23 09:12:14 samadhi-172 kernel: Packet log: output REJECT eth1 PROTO=1 172.30.3.170:3 209.150.117.11:3 L=56 S=0x00 
I=25864 F=0x0000 T=31 (#9)
Aug 23 09:12:14 samadhi-172 kernel: Packet log: output REJECT eth1 PROTO=1 172.30.3.170:3 209.150.117.11:3 L=56 S=0x00 
I=26120 F=0x0000 T=31 (#9)
Aug 23 09:12:14 samadhi-172 kernel: Packet log: output REJECT eth1 PROTO=1 172.30.3.170:3 209.150.117.11:3 L=56 S=0x00 
I=26376 F=0x0000 T=31 (#9)
Aug 23 09:12:14 samadhi-172 kernel: Packet log: output REJECT eth1 PROTO=1 172.30.3.170:3 209.150.117.11:3 L=56 S=0x00 
I=26632 F=0x0000 T=31 (#9)
Aug 23 09:12:15 samadhi-172 kernel: Packet log: output REJECT eth1 PROTO=1 172.30.3.170:3 209.150.117.11:3 L=56 S=0x00 
I=26888 F=0x0000 T=31 (#9)
Aug 23 09:12:15 samadhi-172 kernel: Packet log: output REJECT eth1 PROTO=1 172.30.3.170:3 209.150.117.11:3 L=56 S=0x00 
I=27144 F=0x0000 T=31 (#9)
Aug 23 09:12:15 samadhi-172 kernel: Packet log: output REJECT eth1 PROTO=1 172.30.3.170:3 209.150.117.11:3 L=56 S=0x00 
I=27400 F=0x0000 T=31 (#9)
Aug 23 09:12:15 samadhi-172 kernel: Packet log: output REJECT eth1 PROTO=1 172.30.3.170:3 209.150.117.11:3 L=56 S=0x00 
I=27656 F=0x0000 T=31 (#9)
Aug 23 09:12:15 samadhi-172 kernel: Packet log: output REJECT eth1 PROTO=1 172.30.3.170:3 209.150.117.11:3 L=56 S=0x00 
I=27912 F=0x0000 T=31 (#9)
Aug 23 09:12:15 samadhi-172 kernel: Packet log: output REJECT eth1 PROTO=1 172.30.3.170:3 209.150.117.11:3 L=56 S=0x00 
I=28168 F=0x0000 T=31 (#9)
Aug 23 09:12:15 samadhi-172 kernel: Packet log: output REJECT eth1 PROTO=1 172.30.3.170:3 209.150.117.11:3 L=56 S=0x00 
I=28424 F=0x0000 T=31 (#9)
Aug 23 09:12:15 samadhi-172 kernel: Packet log: output REJECT eth1 PROTO=1 172.30.3.170:3 209.150.117.11:3 L=56 S=0x00 
I=28680 F=0x0000 T=31 (#9)
Aug 23 09:12:16 samadhi-172 kernel: Packet log: output REJECT eth1 PROTO=1 172.30.3.170:3 209.150.117.11:3 L=56 S=0x00 
I=28936 F=0x0000 T=31 (#9)
Aug 23 09:12:16 samadhi-172 kernel: Packet log: output REJECT eth1 PROTO=1 172.30.3.170:3 209.150.117.11:3 L=56 S=0x00 
I=29192 F=0x0000 T=31 (#9)
Aug 23 09:12:16 samadhi-172 kernel: Packet log: output REJECT eth1 PROTO=1 172.30.3.170:3 209.150.117.11:3 L=56 S=0x00 
I=29448 F=0x0000 T=31 (#9)
...
Previous By Date Next
Previous By Thread Next

Current thread: