Security Incidents mailing list archives
Re: ICMP Destination Unreachable, Administratively Prohibited
From: Anthony Kim <Anthony.Kim () VW COM>
Date: Fri, 14 Feb 2003 10:02:41 -0600
On Thu, Feb 13, 2003, Chris Brenton wrote:
On Thu, 2003-02-13 at 17:35, Neil Dickey wrote:I have noticed what appears to be a new ( to me, anyway ) sort of scan in my Snort logs, which are appended below.Doubtful this is a some kind of a scan. These are ICMP type 3 packets, which never stimulate a response. This means that whether it reached your internal host, or got blocked by a firewall, no reply would be returned. No reply means that its not very useful as a scan. This also rules out you being the quiet host end of an idle scan.
At first I thought it might be the after-effects of an nmap idle scan actually. That is, instead of RSTs (unfiltered traffic) you are seeing ICMP (3, 13) indicating the traffic to the destination is filtered. But the source port in the original packets do not meet my expectations. So I'm doubtful it was that. If there's a way for nmap to perform an idle scan using randomized source ports off a zombie, then just maybe...
I'm getting a "Dest. Unreach." signal from an educational network in Beijing, China, that arrived at a time when no-one was using the boxes from which the TCP sessions were supposed to have originated.Just because no one is in your office, does not mean that no one is using your systems. ;-)
So true <g>
Eight different machines at our site were involved, including unix boxes, printers, and PCs.Based on this info, I'm leaning towards someone is spoofing your address space (maybe decoy packets?). Reasoning is below.
Your reasoning (snipped) is sound. And I think I agree. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- ICMP Destination Unreachable, Administratively Prohibited Neil Dickey (Feb 13)
- Re: ICMP Destination Unreachable, Administratively Prohibited Chris Brenton (Feb 13)
- Re: ICMP Destination Unreachable, Administratively Prohibited Anthony Kim (Feb 14)
- Re: ICMP Destination Unreachable, Administratively Prohibited Valdis . Kletnieks (Feb 14)
- Re: ICMP Destination Unreachable, Administratively Prohibited Russell Fulton (Feb 13)
- Re: ICMP Destination Unreachable, Administratively Prohibited Anders Thulin (Feb 14)
- Re: ICMP Destination Unreachable, Administratively Prohibited Chris Brenton (Feb 13)