Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP Destination Unreachable, Administratively Prohibited

From: Anders Thulin <Anders.Thulin () kiconsulting se>
Date: Fri, 14 Feb 2003 08:12:18 +0100
Neil Dickey wrote:



My questions are these:  Does anyone know what sort of probe is being used?



  The other replies have covered the probably 'spoofed source address' solution.

  If you can get your hands on one of these packets and examine its contents,
you can see the IP header of the packet that produced the response, as part
of the ICMP packet body. If the spoofing explanation is correct and complete,
that src address of that returned header should be one of your addresses.

  Strictly speaking, you should also be able to see all successful responses
to the presumed probes. If you're behind a firewall, they may get filtered
away, though, as there are no sessions that matches them, but you might be able
to find corroborating evidence in the firewall logs.

--
Anders Thulin   anders.thulin () kiconsulting se   040-661 50 63        
Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: