|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: ICMP Destination Unreachable, Administratively Prohibited
Date: Thu Feb 13 2003 - 18:26:46 EST
On Thu, 2003-02-13 at 17:35, Neil Dickey wrote:
>
> I have noticed what appears to be a new ( to me, anyway ) sort of scan in my
Doubtful this is a some kind of a scan. These are ICMP type 3 packets, which never stimulate a response. This means that whether it reached your internal host, or got blocked by a firewall, no reply would be returned. No reply means that its not very useful as a scan. This also rules out you being the quiet host end of an idle scan.
> I'm getting a "Dest. Unreach." signal
Just because no one is in your office, does not mean that no one is using your systems. ;-)
> Eight different machines at our site were involved, including
Based on this info, I'm leaning towards someone is spoofing your address space (maybe decoy packets?). Reasoning is below.
> I checked the unix boxes, and nothing was
To be honest, this is not very reliable. If the box is whacked I doubt you would see anything in the logs even if there was a purp on the system generating this traffic. As a .edu you are probably restricted from controlling traffic across your perimeter, but you may still want to consider a firewall to log all passing sessions. That way you would know for sure if it came from your network.
> The "original" traffic was supposed to have been directed at port 22 on what
There are some other interesting tid bits in the payload of each of the traces you posted:
- TTL The TTL in each stimulus packet is 124. UNIX flavors are going to use a starting TTL or 64 or 255. The only thing close to this is Windows at 128 but that would imply the Windows box is 4 hops from the router. Regardless, you say multiple OS types generated these packets and they would not all have the same starting TTL. This tells me the packets probably did not come from your network, but at a minimum they are crafted.
- Sequence #'s and IP IDs The sequence numbers are linear and the IP IDs range from 11103 --> 11326. The chances of this happening in the wild are about on par with someone who does not play the lottery actually winning. This tells me that all of the original stimulus packets originated from the same system.
- Flag settings All of these packets have the ACK flag set. This implies that the original source IP had already established a connection with the router, which of course is not the case. My guess is at one time this router used regular extended access lists to protect itself which would have permitted this packets to sneak through. The owners have up setup Reflexive filters which do have the capability of filtering out bogus ACK packets.
So I can tell you for certain that the packets are crafted. As for whether they originated from your network, hard to say. Two things will tell you for certain:
- If you logged outbound traffic (this option is out)
- Find out from the owner of the router if any other source IP was used during these probes.
HTH,
C
--
**************************************
cbrenton@chrisbrenton.org
'find / -name \*yourbase\* -exec chown us:us {} \; '
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:
http://aris.securityfocus.com
Received on Thu Feb 13 22:07:40 2003This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:58 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |