Re: Can anyone identify this?

[Brian Burns <bburns () MARKVII COM>]

There is no public host on the network. The only IP used is the Ext IF on
the firewall. There are 10  +/- workstations behind NAT, but no hosted
servers.

-----Original Message-----
From: Jason Lewis [mailto:jlewis () jasonlewis net]
Sent: Tuesday, August 01, 2000 8:15 PM
To: INCIDENTS () SECURITYFOCUS COM
Cc: 'Brian Burns'
Subject: RE: Can anyone identify this?


It looks like someone is pinging or using trace route.

You left out what kind of box the destination is.  Web server, FTP server,
DNS server, normal workstation.....it makes a difference.  What else is
inside the network?  Something worth getting to?

Is there any pattern to the attempts to connect?   If you are hosting a web
server and dropping pings at the Sonic Wall, that may be the problem.
Someone or some program is attempting to see if the machine is alive before
connection.

It may be harmless, it may be an automated ping sweep.

Jason
http://www.jasonlewis.net

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Brian Burns
Sent: Monday, July 31, 2000 2:25 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Can anyone identify this?


I have just been forwarded this log from a friend's sonicwall..  It appears
that this traffic has been repeating itself (24x7) for over a week. I think
that this might be a coordinated scan, or maybe a DOS attack against a third
party? Is anyone aware of any trojans or probes that are affected on port 3?

Any help for this newbie is appreciated...

07/31/2000 11:36:45.784 -       ICMP packet dropped -   Source:x.x.x.85, 3,
WAN -   Destination:<my ip>, 3, LAN -   'Dest Unreachable' -    Rule 0
07/31/2000 11:36:47.304 -       ICMP packet dropped -   Source:x.x.x.81, 3,
WAN -   Destination:<my ip>, 3, LAN -   'Dest Unreachable' -    Rule 0
07/31/2000 11:36:48.864 -       ICMP packet dropped -   Source:x.x.x.69, 3,
WAN -   Destination:<my ip>, 3, LAN -   'Dest Unreachable' -    Rule 0
07/31/2000 11:36:50.384 -       ICMP packet dropped -   Source:x.x.x.85, 3,
WAN -   Destination:<my ip>, 3, LAN -   'Dest Unreachable' -    Rule 0
07/31/2000 11:36:59.576 -       ICMP packet dropped -   Source:x.x.x.81, 3,
WAN -   Destination:<my ip>, 3, LAN -   'Dest Unreachable' -    Rule 0
07/31/2000 11:37:05.688 -       ICMP packet dropped -   Source:x.x.x.85, 3,
WAN -   Destination:<my ip>, 3, LAN -   'Dest Unreachable' -    Rule 0
07/31/2000 11:37:07.288 -       ICMP packet dropped -   Source:x.x.x.81, 3,
WAN -   Destination:<my ip>, 3, LAN -   'Dest Unreachable' -    Rule 0
07/31/2000 11:37:08.768 -       ICMP packet dropped -   Source:x.x.x.85, 3,
WAN -   Destination:<my ip>, 3, LAN -   'Dest Unreachable' -    Rule 0
07/31/2000 11:37:10.288 -       ICMP packet dropped -   Source:x.x.x.81, 3,
WAN -   Destination:<my ip>, 3, LAN -   'Dest Unreachable' -    Rule 0
07/31/2000 11:37:11.864 -       ICMP packet dropped -   Source:x.x.x.69, 3,
WAN -   Destination:<my ip>, 3, LAN -   'Dest Unreachable' -    Rule 0
07/31/2000 11:37:14.864 -       ICMP packet dropped -   Source:x.x.x.81, 3,
WAN -   Destination:<my ip>, 3, LAN -   'Dest Unreachable' -    Rule 0
07/31/2000 11:37:16.480 -       ICMP packet dropped -   Source:x.x.x.85, 3,
WAN -   Destination:<my ip>, 3, LAN -   'Dest Unreachable' -    Rule 0
07/31/2000 11:37:19.496 -       ICMP packet dropped -   Source:x.x.x.69, 3,
WAN -   Destination:<my ip>, 3, LAN -   'Dest Unreachable' -    Rule 0
07/31/2000 11:37:22.576 -       ICMP packet dropped -   Source:x.x.x.81, 3,
WAN -   Destination:<my ip>, 3, LAN -   'Dest Unreachable' -    Rule 0
07/31/2000 11:37:24.096 -       ICMP packet dropped -   Source:x.x.x.69, 3,
WAN -   Destination:<my ip>, 3, LAN -   'Dest Unreachable' -    Rule 0
07/31/2000 11:37:25.656 -       ICMP packet dropped -   Source:x.x.x.81, 3,
WAN -   Destination:<my ip>, 3, LAN -   'Dest Unreachable' -    Rule 0
07/31/2000 11:37:27.192 -       ICMP packet dropped -   Source:x.x.x.85, 3,
WAN -   Destination:<my ip>, 3, LAN -   'Dest Unreachable' -    Rule 0