[Dshield] ICMP questions
Jon R. Kibler
Jon.Kibler at aset.com
Tue Oct 7 22:11:04 GMT 2003
See embedded, below...
Johannes Ullrich wrote:
> > 3/1 39
> very common and usually nothing to worry about.
> for example, a domain may somehow advertise a private IP as its DNS
> server. Also, if you are tracerouting an IP and hit a router that uses a
> private IP en-route, this may show up.
> (3/1 -> host unreachable)
> > 3/13 51
> 3/13 means that some router/firewall blocked the packet. Again, not
> necessarily a bad thing. Sometimes, things are just broken.
> Maybe take a closer look why your system attempted to contact these
> 'forbidden' hosts to begin with.
On both of the above, there was seldom any outgoing activity on that interface at the time any of the above type packets were received. That is why I questioned what else (other than the obvious response to something we may have sent) that these incoming packets may indicate.
> > 4/0 14
> source quench: usually send by overloaded hosts/routers. nothing to
And it is safe to just drop these packets?
> > 8/0 6397
> echo request: well, Nachia/Welchia I would assume. But people ping for
> other reasons as well.
These were never an issue... have always dropped incoming PING requests.
> > 11/0 1
> TTL expired. Most likely a routing loop. As long as there is only 1, I
> wouldn't worry.
We normally accept time exceeded -- this was blocked only because of a bogus source address.
> > 79/201 1
> my guess: parser/script error? maybe this is the last digit of a
> source/target IP ;-) ?
Nope, NOT a script error. This is the actual log record:
Oct 6 12:12:50 border8215.XXX 22220: %SEC-6-IPACCESSLOGDP: list 110 denied icmp 24.237.Y.Y -> X.X.X.X (79/201), 1 packet
Jon R. Kibler
Charleston, SC USA
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the list