[Dshield] Rejected packets

Lauro, John jlauro at umflint.edu
Wed Jun 19 21:16:57 GMT 2002


Thanks.  That helps.

Considering that 141.216.234.* is not a valid subnet at this time, is
there any other likely explanation for these packets besides either
someone spoofing 141.216.234.18, or some random communication noise
that messed up an address somehow that wasn't caught by checksums?

If someone is spoofing IP addresses, is it better to somehow reject
the packets coming back instead of just dropping them?  (So the remote
end will close the connection instead of accepting the spoofed packets
and possible remote exploit).

-----Original Message-----
From: Johannes Ullrich [mailto:jullrich at sans.org] 
Sent: Wednesday, June 19, 2002 2:42 PM
To: list at dshield.org
Cc: Lauro, John
Subject: Re: [Dshield] Rejected packets


>   -> Jun 19 07:24:41 gw126 kernel: IN=eth1 OUT=eth0
SRC=168.95.84.169
> DST=141.216.234.18 LEN=56 TOS=0x00 PREC=0x00 TTL=111 ID=0 PROTO=ICMP
> TYPE=11 CODE=0 [SRC=141.216.234.18 DST=61.230.104.116 LEN=44
TOS=0x00
> PREC=0x00 TTL=0 ID=44316 PROTO=TCP SPT=80 DPT=3142 WINDOW=0 RES=0x00
> URGP=0 ] 

just a quick primer as to how to read these log first. iptables ICMP
logs have a lot of information. First, there are two major parts to
it:
(1) the ICMP header
(2) the ICMP payload, which is usually the header of the packet that
triggered the message. 

Part 2 is in [ ] at the end.




More information about the list mailing list