Re: ICMP Destination Unreachable, Administratively Prohibited

[Anthony Kim <Anthony.Kim () VW COM>]

On Thu, Feb 13, 2003, Chris Brenton wrote:

> On Thu, 2003-02-13 at 17:35, Neil Dickey wrote:
> > I have noticed what appears to be a new ( to me, anyway )
> > sort of scan in my Snort logs, which are appended below. 
>
> Doubtful this is a some kind of a scan. These are ICMP type 3
> packets, which never stimulate a response. This means that
> whether it reached your internal host, or got blocked by a
> firewall, no reply would be returned. No reply means that its
> not very useful as a scan. This also rules out you being the
> quiet host end of an idle scan. 


At first I thought it might be the after-effects of an nmap idle
scan actually.  That is, instead of RSTs (unfiltered traffic) you
are seeing ICMP (3, 13) indicating the traffic to the destination
is filtered. But the source port in the original packets do not
meet my expectations.  So I'm doubtful it was that.  If there's a
way for nmap to perform an idle scan using randomized source
ports off a zombie, then just maybe...


> >  I'm getting a "Dest. Unreach." signal from an educational
> >  network in Beijing, China, that arrived at a time when
> >  no-one was using the boxes from which the TCP sessions were
> >  supposed to have originated.
>
> Just because no one is in your office, does not mean that no
> one is using your systems. ;-)

So true <g>

> >   Eight different machines at our site were involved,
> >   including unix boxes, printers, and PCs. 
>
> Based on this info, I'm leaning towards someone is spoofing
> your address space (maybe decoy packets?). Reasoning is below.

Your reasoning (snipped) is sound.  And I think I agree.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com