[Dshield] ICMP questions

Jon R. Kibler Jon.Kibler at aset.com
Tue Oct 7 20:21:57 GMT 2003


A few ICMP questions...

I wrote a little quick and dirty script to summarize our router ACL logs (that I have been basically ignoring for months), and I got a few surprises, especially concerning ICMP traffic that was blocked. Here is an example extract:

ICMP packets by type/subtype:
        3/1             39
        3/13            51
        4/0             14
        8/0           6397
        11/0             1
        79/201           1

        TOTAL         6503

After seeing the above report, I went back and checked the raw data. It turns out that all of the 3/1, 3/13, and 11/0 packets, and about half of the 4/0 packets, are from bogus addresses (10/8, 172.16/12, etc.). Is this just someone's private network leaking garbage, or is this potentially indicative of some sort of probe?

Another question: Any idea what '79/201' is all about? It originated from a DSL connection.

Finally, we currently block '4/0' incoming... is this a good or bad idea? Seeing how about half of such packets are from bogus addresses, my tendency is to keep blocking these source quench packets. Any thoughts?

TIA for all feedback!

Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list