Snort mailing list archives
RE: Suspicious ICMP traces
From: Demetri Mouratis <dmourati () cm math uiuc edu>
Date: Tue, 23 Oct 2001 22:55:28 -0500 (CDT)
Ofir, Thanks for the reply. I actually found your site during my search and read your paper, very informative. I have since found out that the problem was caused by a misconfigured NT box serving as a Cisco Netphone call center. Very interesting. I bet it was the Cisco router on that network that was filtering out the outgoing UDP traffic. Thanks again. On Tue, 23 Oct 2001, Ofir Arkin wrote:
Demetri, This not seems as a tunneled message. This is simply the echoed information from the original offending packet, each and every ICMP Error message carries with it (usually the IP header + 8 data bytes of the offending packet. Now, the type of message you are seeing is ICMP Port Unreachable - Communication Administratively Prohibited. According to the trace you provided, IP 12.125.63.42 tried to communicate with IP 192.168.75.5 (I bet this is a replaced IP, since 192.168.*.* is a reserved class B). From the trace provided we can see that 12.125.63.42 tried to access port 137 on the target. Some filtering device between the two prohibited the communication. It can be a router or any other filtering device (even a firewall configured to REJECT rather then DROP). This message notified the sending side that this kind of communication is not allowed. You can read more on this issue from my research paper "ICMP Usage In Scanning" available from http://www.sys-security.com. Page 19: "The Error message indicates that the destination system is configured to reject datagrams from the sending system. This error is used when datagrams based on some sort of criteria are being filtered by a filtering device (firewall/router/other filtering devices) restrictions or other security measures. We can conclude that our Destination Host is up and running, but we cannot reach it, since the filtering device is blocking our packets, and is instructing us to stop sending datagrams." I hope this helps you out. Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Demetri Mouratis Sent: ? 23 ??????? 2001 8:23 To: snort-users () lists sourceforge net Subject: [Snort-users] Suspicious ICMP traces Hello. I'm interested in finding out what this packet trace might represent. I've done some reading on the subject and this looks like some kind of ICMP tunnel to me. Specifically, I'm worrried that this might be a Loki type tunnel. I'm not really sure so I thought I'd pass this along for second opinions. One thing that raised my suspicions was that the ICMP packet seems to contain a UDP datagram within it. (Or am I jumping the gun on that?) So, here is the relevant portion of alert: [**] [1:485:1] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] 10/21-20:21:24.622037 12.125.63.42 -> 192.168.75.7 ICMP TTL:246 TOS:0x0 ID:64752 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 192.168.75.7:137 -> 216.73.128.3:137 UDP TTL:112 TOS:0x0 ID:50100 IpLen:20 DgmLen:96 Len: 76 ** END OF DUMP I've got maybe 10,000 of these over a few day period. I'm also seeing portscans from 192.168.75.7 so I'm pretty sure something is not right here. Thanks in advance for any help you can provide. --------------------------------------------------------------------- Demetri Mouratis dmourati () linfactory com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--------------------------------------------------------------------- Demetri Mouratis dmourati () linfactory com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Suspicious ICMP traces Demetri Mouratis (Oct 22)
- Re: Suspicious ICMP traces Ryan Russell (Oct 23)
- RE: Suspicious ICMP traces Ofir Arkin (Oct 23)
- RE: Suspicious ICMP traces Demetri Mouratis (Oct 23)
- <Possible follow-ups>
- RE: Suspicious ICMP traces Cessna, Michael (Oct 23)