Re: IDS: ICMP type3/code3

[trall () almaden ibm com]

Other possibilities:

* If your own machine is doing a lot of (udp-based) traceroutes, it will
naturally receive many "port unreachables".

* Another DNS possibility is a machine doing many non-thread-safe queries from a
single process.  Most resolvers out there are not thread-safe.  If multiple
queries are issued before the responses are received, only the first response
will be accepted by the client.  "Port unreachable" will be returned for most of
the others.

Tony Rall



Robert Graham <robert_david_graham () yahoo com> on 06/24/1999 19:34:01
Probably due to stale DNS requests. Your server is responding late, probably
because it is timing out on some recursive query, and by the time it gets back
to the client, it has given up on you and closed its socket.

For more info, see:
http://www.robertgraham.com/pubs/firewall-seen.html
(Document describes frequent things firewall admins see in their logs)


--- Lance Spitzner <spitzner () dimension net> wrote:
> My DNS servers are receiving a great deal of
> ICMP type3/code3 at random times.
>
> 3     Destination Unreachable                  [RFC792]
>
>         Codes
>             0  Net Unreachable
>             1  Host Unreachable
>             2  Protocol Unreachable
>             3  Port Unreachable
>
> My IDS scripts kick off thinking this is some type 'smurf'
> attack, as I can receive a large number of packets in a very
> short time. Also, this tends to be random, as my DNS servers
> will not receive any ICMP 3/3 packets for a week, then in
> a single day I will recieve a total of 700+ packets in an hour
> from 4 different sources.
>
> I know of several other people who have reported this same issue.
> Is this a security issue, or a bind issue?
>
> Thanks
>
> Lance Spitzner
> http://www.enteract.com/~lspitz/papers.html
> Internetworking & Security Engineer
> Dimension Enterprises Inc