[Dshield] ICMP questions

Johannes Ullrich jullrich at euclidian.com
Tue Oct 7 20:51:06 GMT 2003

>         3/1             39
very common and usually nothing to worry about.
for example, a domain may somehow advertise a private IP as its DNS
server. Also, if you are tracerouting an IP and hit a router that uses a
private IP en-route, this may show up.
(3/1 -> host unreachable)

>         3/13           51
3/13 means that some router/firewall blocked the packet. Again, not
necessarily a bad thing. Sometimes, things are just broken.
Maybe take a closer look why your system attempted to contact these
'forbidden' hosts to begin with.

>         4/0             14
source quench: usually send by overloaded hosts/routers. nothing to

>         8/0           6397
echo request: well, Nachia/Welchia I would assume. But people ping for
other reasons as well.

>         11/0             1
TTL expired. Most likely a routing loop. As long as there is only 1, I
wouldn't worry.

>         79/201           1
my guess: parser/script error? maybe this is the last digit of a
source/target IP ;-) ?

>         TOTAL         6503
> After seeing the above report, I went back and checked the raw data. It turns out that all of the 3/1, 3/13, and 11/0 packets, and about half of the 4/0 packets, are from bogus addresses (10/8, 172.16/12, etc.). Is this just someone's private network leaking garbage, or is this potentially indicative of some sort of probe?
> Another question: Any idea what '79/201' is all about? It originated from a DSL connection.
> Finally, we currently block '4/0' incoming... is this a good or bad idea? Seeing how about half of such packets are from bogus addresses, my tendency is to keep blocking these source quench packets. Any thoughts?
> TIA for all feedback!
> Sincerely,
> Jon R. Kibler
> Chief Technical Officer
> A.S.E.T., Inc.
> Charleston, SC  USA
> (843) 849-8214
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
> ______________________________________________________________________
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net

More information about the list mailing list