Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible ICMP DOS spoofed to Nameservers?

From: Ryan Russell <ryan () securityfocus com>
Date: Sun, 30 Dec 2001 18:37:45 -0700 (MST)
On Sun, 30 Dec 2001, Richard Gilman wrote:


I've been seeing ICMP Type 3 Code 13 messages coming from 2 sites and
destine to our name servers.


Which is Destination Unreachable, Communication Administratively
Prohibited


While doing a tcpdump I see no outbound
packets with a destination directed toward the sites sending the ICMP
unreachable messages.


That may be because an intermeidate device is the one sending the ICMP
packets, i.e. a router in front of the address you are sending packets to.
You might be sending DNS lookups requests to 1.2.3.4., but the router
2.3.4.5 in front of it may be the one blocking the traffic, and the
source address of the ICMP packets you will get will be 2.3.4.5.  That's
one of the thing I really dislike about ICMP.

Fortunately, the info you want is actually contained in the body of the
ICMP packets.  That will give you the source and destination addresses
in the packet that was blocked.  If you post a hex dump of one of the ICMP
packets, someone can decode it for you.

(Apologies if you already knew this, and simply failed to indicate in your
note.)

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: