[Dshield] ICMP questions

Johannes Ullrich jullrich at euclidian.com
Tue Oct 7 22:35:30 GMT 2003


> > >         3/1             39
> > very common and usually nothing to worry about.

> > >         3/13           51
> > 3/13 means that some router/firewall blocked the packet. 
> 
> On both of the above, there was seldom any outgoing activity 
> on that interface at the time any of the above type packets 
> were received. That is why I questioned what else (other 
> than the obvious response to something we may have sent) 
> that these incoming packets may indicate.

well, in that case my next guess is that these are responses to spoofed
traffic. Usually, the ICMP packet includes the first few bytes of the
packet that caused the ICMP message. Looking at that with tcpdump or so
can help. (but the router will usually not log the icmp payload).

> > >         4/0             14
> > source quench: usually send by overloaded hosts/routers. nothing to
> > worry.
> > 
> 
> And it is safe to just drop these packets?

Don't block these packets. You should allow them through so your hosts
that access the busy hosts can throttle down.

> 
> > >         8/0           6397
> > echo request: well, Nachia/Welchia I would assume. But people ping for
> > other reasons as well.
> 
> These were never an issue... have always dropped incoming PING requests.

good practice IMHO. Unless you are providing services to others (e.g.
ISP, larger company). In that case, it can be helpful to customers to
ping/traceroute to diagnose problems (and it will keep your customer
support staff less busy).

BTW: A good intro on what ICMP to block / not to block:

http://www.cymru.com/Documents/icmp-messages.html


> Nope, NOT a script error. This is the actual log record:
> 
> Oct  6 12:12:50 border8215.XXX 22220: %SEC-6-IPACCESSLOGDP: list 110 denied icmp 24.237.Y.Y -> X.X.X.X (79/201), 1 packet

very odd...


-- 
--------------------------------------------------------------
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
--------------------------------------------------------------
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net
--------------------------------------------------------------





More information about the list mailing list