Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP Destination Unreachable

From: John Sage <jsage () finchhaven com>
Date: Tue, 04 Dec 2001 12:40:46 -0800
Dewey:
This sort of thing can be an example of backscatter: you're receiveing ICMP Dest unreachables, implying that a packet came from your network and, in this case, was attempting to connect via udp or tcp to the host that responded with the ICMP unreachable.
Chances are your IP is being spoofed by the actual prober/atacker, so you get the ICMP unreachable even though your net did not originate the transaction in the first place. 

For an example, see:

http://www.incidents.org/archives/intrusions/msg01716.html
I was getting quite a few of these back in September from an ISP in India that was being DDoS'ed... 

- John



Dewey Paciaffi wrote:


Hi. I'm a new snort user. Today snort flagged 66
packets in which neither the src nor the dst addresses
are from the subnet being monitored. 
When I examined the logs, the packets seem to be in pairs:


[**] ICMP Destination Unreachable (Communication Administratively
Prohibited) [**]
12/03-00:27:04.480000 63.145.225.218 -> xxx.xx.xx.254
ICMP TTL:245 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
xxx.xx.xx.254:252 -> 208.198.122.60:137
UDP TTL:113 TOS:0x0 ID:8800 IpLen:20 DgmLen:78
Len: 58
** END OF DUMP
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] ICMP Destination Unreachable (Communication Administratively
Prohibited) [**]
12/03-00:27:04.480000 63.145.225.218 -> 64.152.161.12
ICMP TTL:245 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
64.152.161.12:137 -> 208.198.122.60:137
UDP TTL:113 TOS:0x0 ID:8800 IpLen:20 DgmLen:78
Len: 58
** END OF DUMP
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
The first packet seems to be a valid ICMP, except that we have no device with the address xxx.xx.xx.254 on the subnet. 

Anyone know what causes this?


Dewey Paciaffi






_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: