[Dshield] Rejected packets

Johannes Ullrich jullrich at sans.org
Wed Jun 19 18:41:37 GMT 2002


>   -> Jun 19 07:24:41 gw126 kernel: IN=eth1 OUT=eth0 SRC=168.95.84.169
> DST=141.216.234.18 LEN=56 TOS=0x00 PREC=0x00 TTL=111 ID=0 PROTO=ICMP
> TYPE=11 CODE=0 [SRC=141.216.234.18 DST=61.230.104.116 LEN=44 TOS=0x00
> PREC=0x00 TTL=0 ID=44316 PROTO=TCP SPT=80 DPT=3142 WINDOW=0 RES=0x00
> URGP=0 ] 

just a quick primer as to how to read these log first. iptables ICMP
logs have a lot of information. First, there are two major parts to
it:
(1) the ICMP header
(2) the ICMP payload, which is usually the header of the packet that
triggered the message. 

Part 2 is in [ ] at the end.

The ICMP packets you list here are Type 11, Code 0. This is a
'Time exceeded in transit' error. Essentially, the packet went through 
too many routers. Usually, this is a good indication for a routing loop. 

The packet that triggered this error (the [ ... ] part) was a TCP
packet. It went from 141.216.234.18 (your machine) to 61.230.104.116,
but never made it (as the IP from which the error message was send
is different). As expected, the TTL is 0, which is the reason why
the packet was rejected.

Other than that, the packet looks like a regular http reply. It is
somewhat odd that it was rejected, as it should only be send after a
packet from this machine (61.230.104.116) attempted to establish a
connection. But it looks like a reset packet? Something semi-odd
is going on here.

Comment about DShield and ICMP: As you see at this example, there is
a lot of information in ICMP. But only few firewalls log it all. Our
'native' iptables parser currently rejects icmp from iptables just
because we had some problems with the variations in logging format
(and the packet in a packet notation has some problems too).




Try this:

- do a traceroute from your machine to 61.230.104.116
- capture all traffic from this IP.

BTW: the TTL of the ICMP packet is a bit low too. Commonly used default
ttls are 60,64 and 255. Each router the packet will go through will
deduct '1' from your packet. While most operating systems allow you to
change the default TTL, a value of 111 is strange as hardly any route
has more than 30 or so hops. 

>   -> Jun 19 07:24:49 gw126 kernel: IN=eth1 OUT=eth0 SRC=168.95.84.169
> DST=141.216.234.18 LEN=56 TOS=0x00 PREC=0x00 TTL=111 ID=0 PROTO=ICMP
> TYPE=11 CODE=0 [SRC=141.216.234.18 DST=61.230.104.116 LEN=44 TOS=0x00
> PREC=0x00 TTL=0 ID=24412 PROTO=TCP SPT=80 DPT=3142 WINDOW=30768
> RES=0x34 URG ACK URGP=0 ] 
> 
>   -> Jun 19 07:25:01 gw126 kernel: IN=eth1 OUT=eth0 SRC=168.95.84.169
> DST=141.216.234.18 LEN=56 TOS=0x00 PREC=0x00 TTL=111 ID=0 PROTO=ICMP
> TYPE=11 CODE=0 [SRC=141.216.234.18 DST=61.230.104.116 LEN=44 TOS=0x00
> PREC=0x00 TTL=0 ID=62150 PROTO=TCP SPT=80 DPT=3142 WINDOW=1 RES=0x00
> URGP=0 ] 
> 
>   -> Jun 19 07:25:14 gw126 kernel: IN=eth1 OUT=eth0 SRC=168.95.84.169
> DST=141.216.234.18 LEN=56 TOS=0x00 PREC=0x00 TTL=111 ID=0 PROTO=ICMP
> TYPE=11 CODE=0 [SRC=141.216.234.18 DST=61.230.104.116 LEN=40 TOS=0x00
> PREC=0x00 TTL=0 ID=57350 PROTO=TCP SPT=80 DPT=3142 WINDOW=28260
> RES=0x00 ECE URG FIN URGP=0 ] 
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 


-- 
---------------------------------------------------------------
jullrich at sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20020619/ed75e829/attachment.bin


More information about the list mailing list