ICMP Destination Unreachable, Administratively Prohibited

[Neil Dickey <neil () geol niu edu>]

I apologize if this has been covered recently or the answer to my question
is obvious.  I'm just learning about things like this.

I have noticed what appears to be a new ( to me, anyway ) sort of scan in my
Snort logs, which are appended below.  I'm getting a "Dest. Unreach." signal
from an educational network in Beijing, China, that arrived at a time when
no-one was using the boxes from which the TCP sessions were supposed to have
originated.  Eight different machines at our site were involved, including
unix boxes, printers, and PCs.  I checked the unix boxes, and nothing was
active on the outbound ports, e.g. port 1432 on 131.156.X.AA in the logs
below.

The "original" traffic was supposed to have been directed at port 22 on what
appears to be a Genuity router, 4.24.204.90 .  That was what initially caught
my eye.  Outbound SSH traffic from a printer just isn't that common around
here.  ;-)

My questions are these:  Does anyone know what sort of probe is being used?
Is this in fact a probe of our site, or just backsplash from a scan of another
site using our IPs as spoofed source addresses?  Is it something else I
haven't thought of?

I would appreciate any advice anyone could give.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
02/13-04:25:16.846803 0:1:64:73:31:4 -> 8:0:20:A4:6E:42 type:0x800 len:0x46
211.68.233.1 -> 131.156.X.AA ICMP TTL:241 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
131.156.X.AA:1432 -> 4.24.204.90:22 TCP TTL:124 TOS:0x0 ID:11106 IpLen:20 DgmLen:40
Seq: 0x4CB40000  Ack: 0x7A2D0000
** END OF DUMP

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
02/13-04:25:16.849732 0:1:64:73:31:4 -> 8:0:20:13:12:E2 type:0x800 len:0x46
211.68.233.1 -> 131.156.X.BB ICMP TTL:241 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
131.156.X.BB:1073 -> 4.24.204.90:22 TCP TTL:124 TOS:0x0 ID:11103 IpLen:20 DgmLen:40
Seq: 0x6D9C0000  Ack: 0xE7520000
** END OF DUMP

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
02/13-04:25:16.858836 0:1:64:73:31:4 -> 0:1:3:35:AF:5F type:0x800 len:0x46
211.68.233.1 -> 131.156.X.CC ICMP TTL:241 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
131.156.X.CC:1547 -> 4.24.204.90:22 TCP TTL:124 TOS:0x0 ID:11114 IpLen:20 DgmLen:40
Seq: 0x72A00000  Ack: 0xA070000
** END OF DUMP

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
02/13-04:25:16.861847 0:1:64:73:31:4 -> 0:A0:24:18:A5:DD type:0x800 len:0x46
211.68.233.1 -> 131.156.X.DD ICMP TTL:241 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
131.156.X.DD:1829 -> 4.24.204.90:22 TCP TTL:124 TOS:0x0 ID:11115 IpLen:20 DgmLen:40
Seq: 0x57A70000  Ack: 0x10D90000
** END OF DUMP

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
02/13-04:25:16.864986 0:1:64:73:31:4 -> 0:50:4:61:6E:74 type:0x800 len:0x46
211.68.233.1 -> 131.156.X.EE ICMP TTL:241 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
131.156.X.EE:1067 -> 4.24.204.90:22 TCP TTL:124 TOS:0x0 ID:11116 IpLen:20 DgmLen:40
Seq: 0x36170000  Ack: 0xD1D60000
** END OF DUMP

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
02/13-04:25:17.056531 0:1:64:73:31:4 -> 0:4:76:33:EA:10 type:0x800 len:0x46
211.68.233.1 -> 131.156.X.FF ICMP TTL:241 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
131.156.X.FF:1995 -> 4.24.204.90:22 TCP TTL:124 TOS:0x0 ID:11301 IpLen:20 DgmLen:40
Seq: 0x274E0000  Ack: 0x6CB50000
** END OF DUMP

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
02/13-04:25:17.080905 0:1:64:73:31:4 -> 0:1:E6:2F:E3:3B type:0x800 len:0x46
211.68.233.1 -> 131.156.X.GG ICMP TTL:241 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
131.156.X.GG:1845 -> 4.24.204.90:22 TCP TTL:124 TOS:0x0 ID:11323 IpLen:20 DgmLen:40
Seq: 0x25F30000  Ack: 0xB07A0000
** END OF DUMP

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
02/13-04:25:17.083859 0:1:64:73:31:4 -> 0:60:B0:70:0:B9 type:0x800 len:0x46
211.68.233.1 -> 131.156.X.HH ICMP TTL:241 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
131.156.X.HH:1714 -> 4.24.204.90:22 TCP TTL:124 TOS:0x0 ID:11326 IpLen:20 DgmLen:40
Seq: 0x1D620000  Ack: 0x8B3B0000
** END OF DUMP

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com