Security Incidents mailing list archives
Re: ICMP Destination Unreachable, Administratively Prohibited
From: Anders Thulin <Anders.Thulin () kiconsulting se>
Date: Fri, 14 Feb 2003 08:12:18 +0100
Neil Dickey wrote:
My questions are these: Does anyone know what sort of probe is being used?
The other replies have covered the probably 'spoofed source address' solution. If you can get your hands on one of these packets and examine its contents, you can see the IP header of the packet that produced the response, as part of the ICMP packet body. If the spoofing explanation is correct and complete, that src address of that returned header should be one of your addresses. Strictly speaking, you should also be able to see all successful responses to the presumed probes. If you're behind a firewall, they may get filtered away, though, as there are no sessions that matches them, but you might be able to find corroborating evidence in the firewall logs. -- Anders Thulin anders.thulin () kiconsulting se 040-661 50 63 Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- ICMP Destination Unreachable, Administratively Prohibited Neil Dickey (Feb 13)
- Re: ICMP Destination Unreachable, Administratively Prohibited Chris Brenton (Feb 13)
- Re: ICMP Destination Unreachable, Administratively Prohibited Anthony Kim (Feb 14)
- Re: ICMP Destination Unreachable, Administratively Prohibited Valdis . Kletnieks (Feb 14)
- Re: ICMP Destination Unreachable, Administratively Prohibited Russell Fulton (Feb 13)
- Re: ICMP Destination Unreachable, Administratively Prohibited Anders Thulin (Feb 14)
- Re: ICMP Destination Unreachable, Administratively Prohibited Chris Brenton (Feb 13)