[Dshield] Is this normal?

E.B. Dreger eddy+public+spam at noc.everquick.net
Sat Jun 22 15:20:58 GMT 2002


M> Date: Sat, 22 Jun 2002 01:22:25 -0400
M> From: Mercy


M> The firewall has blocked Internet access to www.microsoft.com
M> (207.46.230.219) (ICMP Time Exceeded) from your computer.
M> 
M> Occurred: 4 times between 6/21/02 5:27:16 PM and 6/21/02 5:28:02 PM
M> 
M> I'm assuming that a microsoft program tried to look for
M> updates?  Why did it happen so many times?

The makers of ZoneAlarm should be tarred and feathered for
convincing people that everything is a huge attack; they seem to
have [singlehandly] created thousands of IWFs.  Firewall users
should learn what's important and what's not... but that's what
Mercy's trying to do, so I guess we can't flame her. ;-)

A TTL exceeded simply means that a packet took more than the n
allowed hops to reach its destination, and the routers along the
way gave up.  Normal traffic, except I'd have expected a TTL
exceeded to come from a router's IP address, not a host.  It's
quite possible that this is forged.

Ask yourself:  What is the threat of this packet?  None.  What is
the value of noting it, on the possibility that a miscreant could
be trying something else?  Anywhere from none to high.

Responsible network operators filter source addresses at their
ingress... but too many do not.  This means it's trivial to spoof
ICMP and UDP... and one often can spoof TCP sessions if the
victim system has a bad IP stack.  Bottom line:  In today's
Internet, it's often difficult to rule out spoofed packets.

You'll go nuts looking at all the actual cracking attempts, let
alone things that are insignificant.

Keep the questions coming...


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist at brics.com>
To: blacklist at brics.com
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist at brics.com>, or you are likely to
be blocked.




More information about the list mailing list