Firewall Wizards mailing list archives
Re: IDS: ICMP type3/code3
From: trall () almaden ibm com
Date: Tue, 29 Jun 1999 10:10:10 -0700
Other possibilities: * If your own machine is doing a lot of (udp-based) traceroutes, it will naturally receive many "port unreachables". * Another DNS possibility is a machine doing many non-thread-safe queries from a single process. Most resolvers out there are not thread-safe. If multiple queries are issued before the responses are received, only the first response will be accepted by the client. "Port unreachable" will be returned for most of the others. Tony Rall Robert Graham <robert_david_graham () yahoo com> on 06/24/1999 19:34:01 Probably due to stale DNS requests. Your server is responding late, probably because it is timing out on some recursive query, and by the time it gets back to the client, it has given up on you and closed its socket. For more info, see: http://www.robertgraham.com/pubs/firewall-seen.html (Document describes frequent things firewall admins see in their logs) --- Lance Spitzner <spitzner () dimension net> wrote:
My DNS servers are receiving a great deal of ICMP type3/code3 at random times. 3 Destination Unreachable [RFC792] Codes 0 Net Unreachable 1 Host Unreachable 2 Protocol Unreachable 3 Port Unreachable My IDS scripts kick off thinking this is some type 'smurf' attack, as I can receive a large number of packets in a very short time. Also, this tends to be random, as my DNS servers will not receive any ICMP 3/3 packets for a week, then in a single day I will recieve a total of 700+ packets in an hour from 4 different sources. I know of several other people who have reported this same issue. Is this a security issue, or a bind issue? Thanks Lance Spitzner http://www.enteract.com/~lspitz/papers.html Internetworking & Security Engineer Dimension Enterprises Inc
Current thread:
- Re: IDS: ICMP type3/code3 Robert Graham (Jun 28)
- <Possible follow-ups>
- Re: IDS: ICMP type3/code3 trall (Jun 29)