Snort mailing list archives
Re: ICMP Destination Unreachable
From: Dewey Paciaffi <dpaciaffi () fame com>
Date: Tue, 04 Dec 2001 17:59:38 -0500
Thanks, John. That explains the first packet, but the second packet doesn't contain any addresses that belong to us. How could that end up on our network? Dewey John Sage wrote:
Dewey: This sort of thing can be an example of backscatter: you're receiveing ICMP Dest unreachables, implying that a packet came from your network and, in this case, was attempting to connect via udp or tcp to the host that responded with the ICMP unreachable. Chances are your IP is being spoofed by the actual prober/atacker, so you get the ICMP unreachable even though your net did not originate the transaction in the first place. For an example, see: http://www.incidents.org/archives/intrusions/msg01716.html I was getting quite a few of these back in September from an ISP in India that was being DDoS'ed... - John Dewey Paciaffi wrote:Hi. I'm a new snort user. Today snort flagged 66 packets in which neither the src nor the dst addresses are from the subnet being monitored. When I examined the logs, the packets seem to be in pairs: [**] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] 12/03-00:27:04.480000 63.145.225.218 -> xxx.xx.xx.254 ICMP TTL:245 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: xxx.xx.xx.254:252 -> 208.198.122.60:137 UDP TTL:113 TOS:0x0 ID:8800 IpLen:20 DgmLen:78 Len: 58 ** END OF DUMP =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] 12/03-00:27:04.480000 63.145.225.218 -> 64.152.161.12 ICMP TTL:245 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 64.152.161.12:137 -> 208.198.122.60:137 UDP TTL:113 TOS:0x0 ID:8800 IpLen:20 DgmLen:78 Len: 58 ** END OF DUMP =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ The first packet seems to be a valid ICMP, except that we have no device with the address xxx.xx.xx.254 on the subnet. Anyone know what causes this? Dewey Paciaffi
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP Destination Unreachable Dewey Paciaffi (Dec 04)
- Re: ICMP Destination Unreachable John Sage (Dec 04)
- Re: ICMP Destination Unreachable Dewey Paciaffi (Dec 04)
- Re: ICMP Destination Unreachable John Sage (Dec 05)
- Re: ICMP Destination Unreachable Dewey Paciaffi (Dec 04)
- Re: ICMP Destination Unreachable John Sage (Dec 04)