[Dshield] Is this normal?

Mercy Mercymail at mindspring.com
Sun Jun 23 00:12:50 GMT 2002

Thanks Eddy, for not flaming me LOL.

You're right, i am just trying to learn about all of this.  So, that's why i
keep asking questions that are probably stupid to all of you.

but keep in mind, that the only stupid questions are the ones that go

I'm glad you're all bearing with me, and helping me figure this stuff out.


----- Original Message -----
From: "E.B. Dreger" <eddy+public+spam at noc.everquick.net>
To: "DS mailing list" <list at dshield.org>
Sent: Saturday, June 22, 2002 11:20 AM
Subject: Re: [Dshield] Is this normal?

> M> Date: Sat, 22 Jun 2002 01:22:25 -0400
> M> From: Mercy
> M> The firewall has blocked Internet access to www.microsoft.com
> M> ( (ICMP Time Exceeded) from your computer.
> M>
> M> Occurred: 4 times between 6/21/02 5:27:16 PM and 6/21/02 5:28:02 PM
> M>
> M> I'm assuming that a microsoft program tried to look for
> M> updates?  Why did it happen so many times?
> The makers of ZoneAlarm should be tarred and feathered for
> convincing people that everything is a huge attack; they seem to
> have [singlehandly] created thousands of IWFs.  Firewall users
> should learn what's important and what's not... but that's what
> Mercy's trying to do, so I guess we can't flame her. ;-)
> A TTL exceeded simply means that a packet took more than the n
> allowed hops to reach its destination, and the routers along the
> way gave up.  Normal traffic, except I'd have expected a TTL
> exceeded to come from a router's IP address, not a host.  It's
> quite possible that this is forged.
> Ask yourself:  What is the threat of this packet?  None.  What is
> the value of noting it, on the possibility that a miscreant could
> be trying something else?  Anywhere from none to high.
> Responsible network operators filter source addresses at their
> ingress... but too many do not.  This means it's trivial to spoof
> ICMP and UDP... and one often can spoof TCP sessions if the
> victim system has a bad IP stack.  Bottom line:  In today's
> Internet, it's often difficult to rule out spoofed packets.
> You'll go nuts looking at all the actual cracking attempts, let
> alone things that are insignificant.
> Keep the questions coming...
> Eddy
> --
> Brotsman & Dreger, Inc. - EverQuick Internet Division
> Bandwidth, consulting, e-commerce, hosting, and network building
> Phone: +1 (785) 865-5885 Lawrence and [inter]national
> Phone: +1 (316) 794-8922 Wichita
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
> From: A Trap <blacklist at brics.com>
> To: blacklist at brics.com
> Subject: Please ignore this portion of my mail signature.
> These last few lines are a trap for address-harvesting spambots.
> Do NOT send mail to <blacklist at brics.com>, or you are likely to
> be blocked.
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:

More information about the list mailing list