[Dshield] ICMP questions

Jon R. Kibler Jon.Kibler at aset.com
Tue Oct 7 22:11:04 GMT 2003


See embedded, below...

Johannes Ullrich wrote:
> 
> >         3/1             39
> very common and usually nothing to worry about.
> for example, a domain may somehow advertise a private IP as its DNS
> server. Also, if you are tracerouting an IP and hit a router that uses a
> private IP en-route, this may show up.
> (3/1 -> host unreachable)
> 
> >         3/13           51
> 3/13 means that some router/firewall blocked the packet. Again, not
> necessarily a bad thing. Sometimes, things are just broken.
> Maybe take a closer look why your system attempted to contact these
> 'forbidden' hosts to begin with.
> 

On both of the above, there was seldom any outgoing activity on that interface at the time any of the above type packets were received. That is why I questioned what else (other than the obvious response to something we may have sent) that these incoming packets may indicate.

> >         4/0             14
> source quench: usually send by overloaded hosts/routers. nothing to
> worry.
> 

And it is safe to just drop these packets?

> >         8/0           6397
> echo request: well, Nachia/Welchia I would assume. But people ping for
> other reasons as well.

These were never an issue... have always dropped incoming PING requests.

> 
> >         11/0             1
> TTL expired. Most likely a routing loop. As long as there is only 1, I
> wouldn't worry.

We normally accept time exceeded -- this was blocked only because of a bogus source address.

> 
> >         79/201           1
> my guess: parser/script error? maybe this is the last digit of a
> source/target IP ;-) ?
> 

Nope, NOT a script error. This is the actual log record:

Oct  6 12:12:50 border8215.XXX 22220: %SEC-6-IPACCESSLOGDP: list 110 denied icmp 24.237.Y.Y -> X.X.X.X (79/201), 1 packet


Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list