[Dshield] ICMP questions

Johannes Ullrich jullrich at euclidian.com
Tue Oct 7 20:51:06 GMT 2003


>         3/1             39
very common and usually nothing to worry about.
for example, a domain may somehow advertise a private IP as its DNS
server. Also, if you are tracerouting an IP and hit a router that uses a
private IP en-route, this may show up.
(3/1 -> host unreachable)

>         3/13           51
3/13 means that some router/firewall blocked the packet. Again, not
necessarily a bad thing. Sometimes, things are just broken.
Maybe take a closer look why your system attempted to contact these
'forbidden' hosts to begin with.

>         4/0             14
source quench: usually send by overloaded hosts/routers. nothing to
worry.

>         8/0           6397
echo request: well, Nachia/Welchia I would assume. But people ping for
other reasons as well.

>         11/0             1
TTL expired. Most likely a routing loop. As long as there is only 1, I
wouldn't worry.

>         79/201           1
my guess: parser/script error? maybe this is the last digit of a
source/target IP ;-) ?



> 
>         TOTAL         6503
> 
> 
> After seeing the above report, I went back and checked the raw data. It turns out that all of the 3/1, 3/13, and 11/0 packets, and about half of the 4/0 packets, are from bogus addresses (10/8, 172.16/12, etc.). Is this just someone's private network leaking garbage, or is this potentially indicative of some sort of probe?
> 
> Another question: Any idea what '79/201' is all about? It originated from a DSL connection.
> 
> Finally, we currently block '4/0' incoming... is this a good or bad idea? Seeing how about half of such packets are from bogus addresses, my tendency is to keep blocking these source quench packets. Any thoughts?
> 
> TIA for all feedback!
> 
> Sincerely,
> Jon R. Kibler
> Chief Technical Officer
> A.S.E.T., Inc.
> Charleston, SC  USA
> (843) 849-8214
> 
> 
> 
> 
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
> 
> 
> ______________________________________________________________________
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
--------------------------------------------------------------
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
--------------------------------------------------------------
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net
--------------------------------------------------------------





More information about the list mailing list