[Dshield] ICMP destination unreachable

Johannes B. Ullrich jullrich at euclidian.com
Fri Nov 2 12:27:57 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



> sorry if this is slightly OT; i'm looking for confirmation on something: i'm
> seeing a tremendous surge of "ICMP Destination Unreachable (Network
> Unreachable)" messages coming back from a nearby gateway to be received by
> our exchange server.  i would hazard a guess that this is our exchange
> server trying to send NDR to a nonexistent domain and receiving a response
> that it doesn't exist.
> 
> does this sound plausible?  the messages are only coming from a single
> (very) nearby gateway and only intermittently at a rate of about 0-30/hour.
> i haven't been able to compare it with the amount of spam email coming in to
> the server, but there has been a bit more than usual (although i never saw
> this many ICMP DU messages before)?  anyone seen this before or think this
> is something to be worried about?

Your guess sounds right. One thing you can do: Setup tcpdump or a tool 
like that to capture the ICMP packets. The original packet that caused the 
problem should be attached as a payload.

Other options are a DOS attack against the target network using your IP as 
a spoofed source or just some guy playing around with ICMP packets :-/


- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE74pFOVOIizK5pIDMRAmtWAKDiT5KgDgKbsZ+T+iDglVGP/kiCaACgre34
/+9ERUGNHEFeI8Uv7eDoth4=
=EGIl
-----END PGP SIGNATURE-----




More information about the list mailing list