[Dshield] ICMP destination unreachable
security at admin.fulgan.com
Fri Nov 2 09:33:14 GMT 2001
WS> sorry if this is slightly OT; i'm looking for confirmation on something: i'm
WS> seeing a tremendous surge of "ICMP Destination Unreachable (Network
WS> Unreachable)" messages coming back from a nearby gateway to be received by
WS> our exchange server. i would hazard a guess that this is our exchange
WS> server trying to send NDR to a nonexistent domain and receiving a response
WS> that it doesn't exist.
Improbable: if the domain is non-existant, then it should be resolved
to an IP and thus the server shouldn't be sending IP packets.
WS> does this sound plausible? the messages are only coming from a single
WS> (very) nearby gateway and only intermittently at a rate of about 0-30/hour.
WS> i haven't been able to compare it with the amount of spam email coming in to
WS> the server, but there has been a bit more than usual (although i never saw
WS> this many ICMP DU messages before)? anyone seen this before or think this
WS> is something to be worried about?
Well, you should check several things: 1/ What's the destination
address of the non-routed packets ? 2/ What are the triggering packets
? What protocol, source and destination port ? are they connection
attempts (ICMP SYNs), Datagrams (UDP) or in-connection packets (about
One possible cause is that you have a user that tries to connect to
your exchange server using the native exchange protocol (that is,
neither SMPT, POP3 or IMAP) and that sits beyond a NAT box. Since the
server will look at the IP address that is inside the packet data
instead of using the IP header to respond and since that packet will
contain the internal, non-routable IP of the target machine, it will
fail to be routed.
If that is what's happening, then you might want to have a good look
at your router's configuration: It means that you didn't implement
egress filtering on your border routers and have not blocked private
More information about the list