Re: invalid icmp in linux?

[jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)]

On Sat, 27 May 2000, Eric LeBlanc wrote:

> May 26 17:35:17 toutatis kernel: 64.228.200.219 sent an invalid ICMP error to a broadcast.
> May 26 17:35:17 toutatis last message repeated 9 times

> Linux toutatis 2.2.13 #1 SMP Mon Nov 29 22:53:42 EST 1999 i686 unknown

> My server is down after attack.. :-/ what it is ?  How I patch?

what attack? i'm really confused as to why you think this is an attack.

it appears that the host at 64.228.200.219 is in possession of a poor IP
stack, at least as far as ICMP is concerned. ICMP errors should *never* be
sent regarding braodcast frames. imagine the traffic flood you would see!
Postel 1981 (rfc 792, ftp://ftp.isi.edu/in-notes/rfc792.txt) is the ICMP
spec, see also RFC 950 (ftp://ftp.isi.edu/in-notes/rfc950.txt).

stevens (tcp/ip illustrated vol 1, 1994) notes on pages 70 and 71 (chapter
6, ICMP) that ICMP error messages should never be generated in response to
a broadcast (can't find the RFC policy on this, but stevens is usually the
next best thing). as such, it's probably your kernel correctly reporting
that you have a misconfigured system on the network. it's not an attack,
in almost all certainty.

jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc