[Dshield] ICMP destination unreachable
Johannes B. Ullrich
jullrich at euclidian.com
Fri Nov 2 12:27:57 GMT 2001
-----BEGIN PGP SIGNED MESSAGE-----
> sorry if this is slightly OT; i'm looking for confirmation on something: i'm
> seeing a tremendous surge of "ICMP Destination Unreachable (Network
> Unreachable)" messages coming back from a nearby gateway to be received by
> our exchange server. i would hazard a guess that this is our exchange
> server trying to send NDR to a nonexistent domain and receiving a response
> that it doesn't exist.
> does this sound plausible? the messages are only coming from a single
> (very) nearby gateway and only intermittently at a rate of about 0-30/hour.
> i haven't been able to compare it with the amount of spam email coming in to
> the server, but there has been a bit more than usual (although i never saw
> this many ICMP DU messages before)? anyone seen this before or think this
> is something to be worried about?
Your guess sounds right. One thing you can do: Setup tcpdump or a tool
like that to capture the ICMP packets. The original packet that caused the
problem should be attached as a payload.
Other options are a DOS attack against the target network using your IP as
a spoofed source or just some guy playing around with ICMP packets :-/
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the list