Firewall Wizards mailing list archives
Re: strange icmp packets.
From: Bill_Royds () pch gc ca
Date: Wed, 17 Mar 1999 15:25:23 -0500
I have been noticing these too. We have a valid class B behind our firewall but many IP's are not in use and our firewall replaces all internal IP numbers by its external NIC. We get many ICMP errors trying to return to these internal IP numbers. Often when you look at the internal contents of ICMP, it is packets with our addresses and source port just above 1024 and the destination addresses dialup lines or shell accounts and destination ports 80 or 113 or 79 (common services). The ack bit is set as if they are spoofing return packets for likely open sessions. Darren Reed <avalon () coombs anu edu au> on 99-03-17 02:59:20 AM Please respond to Darren Reed <avalon () coombs anu edu au> To: firewall-wizards () nfr net cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: strange icmp packets. Amongst the meabytes of log information that I'm seeing on a firewall are icmp error packets being sent back to hosts which don't and have never existed. I assume others are seeing the same. Has anyone looked closer at this and decided it's either replies to spoof'd packets being sent with their address or is someone trying to scan using ICMP error packets ?! The latter seems somewhat strange to me as you're not meant to reply to those (I'm refering to unreachables and quenches here). Darren
Attachment:
att1.eml
Description:
Current thread:
- strange icmp packets. Darren Reed (Mar 17)
- Re: strange icmp packets. Kaptain (Mar 17)
- <Possible follow-ups>
- RE: strange icmp packets. Frank W. Keeney (Mar 18)
- RE: strange icmp packets. Chuck Young (Mar 19)
- Message not available
- RE: strange icmp packets. Neil Ratzlaff (Mar 22)
- Re: strange icmp packets. Bill_Royds (Mar 18)
- Re: strange icmp packets. Neil Ratzlaff (Mar 19)
- Re: strange icmp packets. Darren Reed (Mar 19)
- RE: strange icmp packets. Robert Graham (Mar 23)