ICMP Destination Unreachable, Administratively Prohibited

From: Neil Dickey <neil(at)geol.niu.edu>
Date: Thu Feb 13 2003 - 17:35:11 EST

I apologize if this has been covered recently or the answer to my question is obvious. I'm just learning about things like this.

I have noticed what appears to be a new ( to me, anyway ) sort of scan in my Snort logs, which are appended below. I'm getting a "Dest. Unreach." signal from an educational network in Beijing, China, that arrived at a time when no-one was using the boxes from which the TCP sessions were supposed to have originated. Eight different machines at our site were involved, including unix boxes, printers, and PCs. I checked the unix boxes, and nothing was active on the outbound ports, e.g. port 1432 on 131.156.X.AA in the logs below.

The "original" traffic was supposed to have been directed at port 22 on what appears to be a Genuity router, 4.24.204.90 . That was what initially caught my eye. Outbound SSH traffic from a printer just isn't that common around here. ;-)

My questions are these: Does anyone know what sort of probe is being used? Is this in fact a probe of our site, or just backsplash from a scan of another site using our IPs as spoofed source addresses? Is it something else I haven't thought of?

I would appreciate any advice anyone could give.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 02/13-04:25:16.846803 0:1:64:73:31:4 -> 8:0:20:A4:6E:42 type:0x800 len:0x46 211.68.233.1 -> 131.156.X.AA ICMP TTL:241 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
131.156.X.AA:1432 -> 4.24.204.90:22 TCP TTL:124 TOS:0x0 ID:11106 IpLen:20 DgmLen:40 Seq: 0x4CB40000 Ack: 0x7A2D0000
** END OF DUMP
[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 02/13-04:25:16.849732 0:1:64:73:31:4 -> 8:0:20:13:12:E2 type:0x800 len:0x46 211.68.233.1 -> 131.156.X.BB ICMP TTL:241 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
131.156.X.BB:1073 -> 4.24.204.90:22 TCP TTL:124 TOS:0x0 ID:11103 IpLen:20 DgmLen:40 Seq: 0x6D9C0000 Ack: 0xE7520000
** END OF DUMP
[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 02/13-04:25:16.858836 0:1:64:73:31:4 -> 0:1:3:35:AF:5F type:0x800 len:0x46 211.68.233.1 -> 131.156.X.CC ICMP TTL:241 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
131.156.X.CC:1547 -> 4.24.204.90:22 TCP TTL:124 TOS:0x0 ID:11114 IpLen:20 DgmLen:40 Seq: 0x72A00000 Ack: 0xA070000
** END OF DUMP
[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 02/13-04:25:16.861847 0:1:64:73:31:4 -> 0:A0:24:18:A5:DD type:0x800 len:0x46 211.68.233.1 -> 131.156.X.DD ICMP TTL:241 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
131.156.X.DD:1829 -> 4.24.204.90:22 TCP TTL:124 TOS:0x0 ID:11115 IpLen:20 DgmLen:40 Seq: 0x57A70000 Ack: 0x10D90000
** END OF DUMP
[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 02/13-04:25:16.864986 0:1:64:73:31:4 -> 0:50:4:61:6E:74 type:0x800 len:0x46 211.68.233.1 -> 131.156.X.EE ICMP TTL:241 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
131.156.X.EE:1067 -> 4.24.204.90:22 TCP TTL:124 TOS:0x0 ID:11116 IpLen:20 DgmLen:40 Seq: 0x36170000 Ack: 0xD1D60000
** END OF DUMP
[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 02/13-04:25:17.056531 0:1:64:73:31:4 -> 0:4:76:33:EA:10 type:0x800 len:0x46 211.68.233.1 -> 131.156.X.FF ICMP TTL:241 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
131.156.X.FF:1995 -> 4.24.204.90:22 TCP TTL:124 TOS:0x0 ID:11301 IpLen:20 DgmLen:40 Seq: 0x274E0000 Ack: 0x6CB50000
** END OF DUMP
[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 02/13-04:25:17.080905 0:1:64:73:31:4 -> 0:1:E6:2F:E3:3B type:0x800 len:0x46 211.68.233.1 -> 131.156.X.GG ICMP TTL:241 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
131.156.X.GG:1845 -> 4.24.204.90:22 TCP TTL:124 TOS:0x0 ID:11323 IpLen:20 DgmLen:40 Seq: 0x25F30000 Ack: 0xB07A0000
** END OF DUMP
[**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 02/13-04:25:17.083859 0:1:64:73:31:4 -> 0:60:B0:70:0:B9 type:0x800 len:0x46 211.68.233.1 -> 131.156.X.HH ICMP TTL:241 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
131.156.X.HH:1714 -> 4.24.204.90:22 TCP TTL:124 TOS:0x0 ID:11326 IpLen:20 DgmLen:40 Seq: 0x1D620000 Ack: 0x8B3B0000
** END OF DUMP
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu Feb 13 17:46:12 2003