[Dshield] ICMP Time-To-Live Exceeded in Transit

Erwin Van de Velde erwin.vandevelde at ua.ac.be
Tue Dec 23 14:53:27 GMT 2003


I'm using snort 2.1.0 on a Mandrake 9.2 box. I have to network interfaces: one 
to cable modem (DHCP configured), and one ethernet interface (IP Both interfaces are watched by snort. I have one other computer 
on the local network ( running Win98 SE, and the first computer 
uses NAT (configured with shorewall(iptables)) to get the second online.

Recently I'm seeing some weird traffic that is detected by snort (sensor on 
eth1: interface): I get inbound ICMP packets, telling me that the 
TTL has been exceeded.
The original source would be, with source port 2048. There are 
different destinations, and the destination port is >40000 as far as I can 
Other weird things: these alerts come in groups, allways when booting the 
second computer and every two hours after boot. The destination IPs differ, 
as I said above, but are repeated. The number of alerts in one 'group' 
differs also, possibly depending on foreign network conditions (which 
computers are running etc.)
These alerts take 42% of all my snort alerts. Second are the alerts caused by 
Welchia, Blaster... travelling by on the internet with 33%.
Does anyone know what they are? Are they normal traffic caused by 'good' 
programs? There is no frequently repeated tracerouted or something like that 
running there :-)
I have running Norton AV on the second computer, and the virus scanner is up 
to date and allways running (full system scan detected nothing).

thanks in advance, 
Erwin Van de Velde
Student of Antwerp University

More information about the list mailing list