Security Incidents mailing list archives
Re: spoofed ICMP 3/1's - what is the tool or goal here?
From: slim bones <slim () io com>
Date: Mon, 15 Jan 2001 15:24:03 -0600
From: Erik Fichtner <techs () obfuscation org> It might also be fallout from someone spoofing your addresses to probe or DoS the "BAD.GUY.NET.NODE" network.. You might want to capture some of those packets with a sniffer and decode the payload of the icmp error. That will give you a clue as to what packet caused the remote end to emit an icmp 3/1 host unreachable..
Both of these explanations are more likely than having someone intentionally distract you with this trace :-] A packet capture is the way to go. If you get one, I'd like a peek - Someone is probably using decoy addresses out of your IP space. Using decoys, a probe aimed at a nonexistant IP will cause host unreachables to be sent to the decoys. [0] Regarding DoS of the victim net, the host unreachables would be generated when some of the DoS traffic can't make it to its destination (because of the DoS attack). And since they're spoofing your address space, you get the ICMP errors. As far as a threat to your site goes, these are just annoyances unless this traffic increases and eats up your bandwidth :-< s.b [0] An aside ... for a decoy probe of an IP that does exist there would also be some other traffic coming to the decoys. An nmap syn scan with decoys will have the decoy systems seeing Syn-Acks and Rst-Acks from the victim. The decoy will also dole out a few RSTs of its own upon receiving this traffic.
Jan 5 01:04:46 icmp BAD.GUY.NET.NODE -> my.net.76.19 (3/1), 119 packets Jan 5 01:05:00 icmp BAD.GUY.NET.NODE -> my.net.92.8 (3/1), 1 packet Jan 5 01:05:09 icmp BAD.GUY.NET.NODE -> my.net.185.13 (3/1), 1 packet
Current thread:
- spoofed ICMP 3/1's - what is the tool or goal here? Glenn Forbes Fleming Larratt (Jan 06)
- <Possible follow-ups>
- Re: spoofed ICMP 3/1's - what is the tool or goal here? slim bones (Jan 15)