Firewall Wizards mailing list archives
RE: strange icmp packets.
From: Robert Graham <robert_david_graham () yahoo com>
Date: Mon, 22 Mar 1999 15:57:08 -0800 (PST)
My guess is that somebody is doing an NMAP portscan against the victim and is spoofing a number of IP addresses along with the scan in order to hide where he is coming from. The victim is sending the unreachables back to all the IP addresses that appear in the scan. One of them is the attacker, and the rest are innocent bystanders such as yourself. I, too, would like to see the sniffer trace of these packets, because they contain the IP/UDP-TCP headers, which will tell us a lot about the attacker. For example, we could probably look at the IP identification field and the sequence of port numbers to really see if there is some kind of pattern. Rob. ---Neil Ratzlaff <Neil.Ratzlaff () ucop edu> wrote:
I have gotten several icmp codes, most often type 3 (codes 0-3) and
type 11,
but also type 12, 4, and 5. Neil At 22:01 03/18/99 +0000, Chuck Young wrote:Has anyone noticed what the error number was in these packets? Was
it
unreachable? (I think 3). I have seen ICMP unreachables from hosts
not
trying to connect and am wondering what is at the bottom of all
this too.
Chuck Young On Wed, 17 Mar 1999, Frank W. Keeney wrote:Date: Wed, 17 Mar 1999 17:12:08 -0800 From: "Frank W. Keeney" <FKeeney () hsa com> To: firewall-wizards () nfr net Subject: RE: strange icmp packets. I've seen lots of these. I'd would be interesting to see their
contents
in a sniffer. On Wed, 17 Mar 1999, Darren Reed wrote:Amongst the meabytes of log information that I'm seeing on a
firewall
are icmp error packets being sent back to hosts which don't and
have
never existed. I assume others are seeing the same. Has anyone looked closer at this and decided it's either replies to spoof'd packets being sent with their address or is someone trying to
scan
using ICMP error packets ?! The latter seems somewhat strange
to me
as you're not meant to reply to those (I'm refering to
unreachables
_________________________________________________________ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- strange icmp packets. Darren Reed (Mar 17)
- Re: strange icmp packets. Kaptain (Mar 17)
- <Possible follow-ups>
- RE: strange icmp packets. Frank W. Keeney (Mar 18)
- RE: strange icmp packets. Chuck Young (Mar 19)
- Message not available
- RE: strange icmp packets. Neil Ratzlaff (Mar 22)
- Re: strange icmp packets. Bill_Royds (Mar 18)
- Re: strange icmp packets. Neil Ratzlaff (Mar 19)
- Re: strange icmp packets. Darren Reed (Mar 19)
- RE: strange icmp packets. Robert Graham (Mar 23)