Re: Tons of ping activity?

[Pavel Kankovsky <peak () ARGO TROJA MFF CUNI CZ>]

On Thu, 28 Dec 2000, Steve Cody wrote:

> Dec 27 16:19:26 brimstone kernel: Packet log: input DENY eth0 PROTO=1 207.239.230.33:11 255.255.255.255:0 L=56 S=0xC0 
> I=43238 F=0x0000 T=244

These datagrams are not pings (ICMP Echo) but ICMP Time Exceeded / TTL
Count Exceeded (type 11, code 0). Suprisingly, I have observed something
similar here, only the destination address was a little bit saner:

Dec 27 02:46:51 kerberos2 kernel: IP dest[3] DENY eth1 ICMP 207.239.230.33:11 195.113.28.0:0 L=56 S=0xC0 I=44541 
F=0x0000 T=242
Dec 27 02:49:34 kerberos2 kernel: IP dest[4] DENY eth1 ICMP 210.57.16.44:11 195.113.29.0:0 L=56 S=0xC0 I=64839 F=0x0000 
T=238
Dec 27 03:00:06 kerberos2 kernel: IP dest[3] DENY eth1 ICMP 207.239.230.33:11 195.113.28.0:0 L=56 S=0xC0 I=51856 
F=0x0000 T=242
Dec 27 03:02:20 kerberos2 kernel: IP dest[3] DENY eth1 ICMP 202.84.206.1:11 195.113.28.0:0 L=56 S=0xC0 I=35147 F=0x0000 
T=239

It appears someone is polluting the Net with forged datagrams having short
TTL and bogus source addresses, and those datagrams are bounced back to
those forged addresses...this would explain the garbage intercepted by my
own packet filter but how could datagrams addressed to 255.255.255.255 get
to you is a mystery to me. (The routers sending them do not have a
direct connection to your machine, do they?) Something really screwy must
be taking place here.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."