Firewall Wizards mailing list archives

RE: strange icmp packets.

From: Robert Graham <robert_david_graham () yahoo com>
Date: Mon, 22 Mar 1999 15:57:08 -0800 (PST)

My guess is that somebody is doing an NMAP portscan against the victim
and is spoofing a number of IP addresses along with the scan in order
to hide where he is coming from. The victim is sending the
unreachables back to all the IP addresses that appear in the scan. One
of them is the attacker, and the rest are innocent bystanders such as
yourself. 

I, too, would like to see the sniffer trace of these packets, because
they contain the IP/UDP-TCP headers, which will tell us a lot about
the attacker. For example, we could probably look at the IP
identification field and the sequence of port numbers to really see if
there is some kind of pattern.

Rob.

---Neil Ratzlaff <Neil.Ratzlaff () ucop edu> wrote:


I have gotten several icmp codes, most often type 3 (codes 0-3) and

type 11,

but  also type 12, 4, and 5.

Neil

At 22:01 03/18/99 +0000, Chuck Young wrote:

Has anyone noticed what the error number was in these packets?  Was

it

unreachable? (I think 3).  I have seen ICMP unreachables from hosts

not

trying to connect and am wondering what is at the bottom of all

this too.


Chuck Young

On Wed, 17 Mar 1999, Frank W. Keeney wrote:

Date: Wed, 17 Mar 1999 17:12:08 -0800
From: "Frank W. Keeney" <FKeeney () hsa com>
To: firewall-wizards () nfr net
Subject: RE: strange icmp packets.

I've seen lots of these. I'd would be interesting to see their

contents

in a sniffer.

     
     On Wed, 17 Mar 1999, Darren Reed wrote:

Amongst the meabytes of log information that I'm seeing on a

firewall

are icmp error packets being sent back to hosts which don't and

have

never existed.  I assume others are seeing the same.  Has anyone
looked closer at this and decided it's either replies to spoof'd
packets being sent with their address or is someone trying to

scan

using ICMP error packets ?!  The latter seems somewhat strange

to me

as you're not meant to reply to those (I'm refering to

unreachables


_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com

Current thread:

strange icmp packets. Darren Reed (Mar 17)
- Re: strange icmp packets. Kaptain (Mar 17)
- <Possible follow-ups>
- RE: strange icmp packets. Frank W. Keeney (Mar 18)
  - RE: strange icmp packets. Chuck Young (Mar 19)
  - Message not available
    - RE: strange icmp packets. Neil Ratzlaff (Mar 22)
- Re: strange icmp packets. Bill_Royds (Mar 18)
- Re: strange icmp packets. Neil Ratzlaff (Mar 19)
  - Re: strange icmp packets. Darren Reed (Mar 19)
- RE: strange icmp packets. Robert Graham (Mar 23)