Snort mailing list archives

Re: ICMP Destination Unreachable

From: John Sage <jsage () finchhaven com>
Date: Wed, 05 Dec 2001 06:28:43 -0800

Dewey:

hmm.. Now that is a question..

>>>[**] ICMP Destination Unreachable (Communication Administratively
>>>Prohibited) [**]
>>>12/03-00:27:04.480000 63.145.225.218 -> xxx.xx.xx.254
>>>ICMP TTL:245 TOS:0x0 ID:0 IpLen:20 DgmLen:56
>>>Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
>>>** ORIGINAL DATAGRAM DUMP:
>>>xxx.xx.xx.254:252 -> 208.198.122.60:137
>>>UDP TTL:113 TOS:0x0 ID:8800 IpLen:20 DgmLen:78
>>>Len: 58
>>>** END OF DUMP
>>>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

So this one seems reasonable to call backscatter; it's coming in to yourxxx.xxx.xxx.254 and it alleges to be *from* your xxx.xxx.xxx.254, whichyou've obfuscated and which is within your network...


>>>
>>>[**] ICMP Destination Unreachable (Communication Administratively
>>>Prohibited) [**]
>>>12/03-00:27:04.480000 63.145.225.218 -> 64.152.161.12
>>>ICMP TTL:245 TOS:0x0 ID:0 IpLen:20 DgmLen:56
>>>Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
>>>** ORIGINAL DATAGRAM DUMP:
>>>64.152.161.12:137 -> 208.198.122.60:137
>>>UDP TTL:113 TOS:0x0 ID:8800 IpLen:20 DgmLen:78
>>>Len: 58
>>>** END OF DUMP
>>>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>>>

But this one is *to* 64.152.161.12, and that's not you at all..

One odd thing is that these are both identical in all cases (except forthe 64.x.x.x IP), particularily including the timestamp down to /*countson his fingers*/ some *really* small fraction of a second..


..that's weird.


I have no quick explanation for that...

Somehow I wouldn't think it possible for two packets to have anidentical timestamp - not off by even a little..


- John


Dewey Paciaffi wrote:

Thanks, John. That explains the first packet, but the second
packet doesn't contain any addresses that belong to us. How
could that end up on our network?

Dewey

John Sage wrote:

Dewey:

This sort of thing can be an example of backscatter: you're receiveing
ICMP Dest unreachables, implying that a packet came from your network
and, in this case, was attempting to connect via udp or tcp to the host
that responded with the ICMP unreachable.

Chances are your IP is being spoofed by the actual prober/atacker, so
you get the ICMP unreachable even though your net did not originate the
transaction in the first place.

For an example, see:

http://www.incidents.org/archives/intrusions/msg01716.html

I was getting quite a few of these back in September from an ISP in
India that was being DDoS'ed...

- John

Dewey Paciaffi wrote:

Hi. I'm a new snort user. Today snort flagged 66
packets in which neither the src nor the dst addresses
are from the subnet being monitored.

When I examined the logs, the packets seem to be in pairs:


[**] ICMP Destination Unreachable (Communication Administratively
Prohibited) [**]
12/03-00:27:04.480000 63.145.225.218 -> xxx.xx.xx.254
ICMP TTL:245 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
xxx.xx.xx.254:252 -> 208.198.122.60:137
UDP TTL:113 TOS:0x0 ID:8800 IpLen:20 DgmLen:78
Len: 58
** END OF DUMP
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] ICMP Destination Unreachable (Communication Administratively
Prohibited) [**]
12/03-00:27:04.480000 63.145.225.218 -> 64.152.161.12
ICMP TTL:245 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
64.152.161.12:137 -> 208.198.122.60:137
UDP TTL:113 TOS:0x0 ID:8800 IpLen:20 DgmLen:78
Len: 58
** END OF DUMP
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The first packet seems to be a valid ICMP, except that we have no
device with the address xxx.xx.xx.254 on the subnet.

Anyone know what causes this?


Dewey Paciaffi




mailto:jsage () finchhaven com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ICMP Destination Unreachable Dewey Paciaffi (Dec 04)
- Re: ICMP Destination Unreachable John Sage (Dec 04)
  - Re: ICMP Destination Unreachable Dewey Paciaffi (Dec 04)
    - Re: ICMP Destination Unreachable John Sage (Dec 05)