Hosting Provided By

Re: ICMP Destination Unreachable, Administratively Prohibited

From: Anders Thulin <Anders.Thulin(at)kiconsulting.se>
Date: Fri Feb 14 2003 - 02:12:18 EST

Neil Dickey wrote:

> My questions are these: Does anyone know what sort of probe is being used?

The other replies have covered the probably 'spoofed source address' solution.

If you can get your hands on one of these packets and examine its contents, you can see the IP header of the packet that produced the response, as part of the ICMP packet body. If the spoofing explanation is correct and complete, that src address of that returned header should be one of your addresses.

Strictly speaking, you should also be able to see all successful responses to the presumed probes. If you're behind a firewall, they may get filtered away, though, as there are no sessions that matches them, but you might be able to find corroborating evidence in the firewall logs.

-- 
Anders Thulin   anders.thulin@kiconsulting.se   040-661 50 63	
Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com

Received on Fri Feb 14 23:45:09 2003

This message: [ Message body ]
Next message: Mr.Day: "Spies on Your PC HDrv"
In reply to: Neil Dickey: "ICMP Destination Unreachable, Administratively Prohibited"
In reply to Russell Fulton: "Re: ICMP Destination Unreachable, Administratively Prohibited"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:58 EDT