[Dshield] TTL expired... port unreach... (long)

Bruyere, Michel mbruyere at ezemcanada.com
Thu Oct 30 21:04:53 GMT 2003


Hi, 
	Snort is actually reporting me a lot of TTL expired and Destination
Port unreachable. It's coming from about 10 to 15 diff. sources. I figured
that this could be some backscatters of spoofed attacks? I would like to
have your thoughts about this from the "gurus" you are ;) 

Here is a sample of the Snort's alert (from a single source) 



ICMP dest unreachable

[**] ICMP Destination Unreachable (Undefined Code!) [**]
10/30-11:00:03.428845 12.162.189.27 -> 10.0.0.5
ICMP TTL:138 TOS:0x0 ID:20373 IpLen:20 DgmLen:56
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
10.0.0.5:137 -> 12.162.189.27:137
UDP TTL:116 TOS:0x0 ID:20373 IpLen:20 DgmLen:78
Len: 50

[**] ICMP Destination Unreachable (Undefined Code!) [**]
10/30-11:00:04.898750 12.162.189.27 -> 10.0.0.5
ICMP TTL:138 TOS:0x0 ID:20380 IpLen:20 DgmLen:56
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
10.0.0.5:137 -> 12.162.189.27:137
UDP TTL:116 TOS:0x0 ID:20380 IpLen:20 DgmLen:78
Len: 50

[**] ICMP Destination Unreachable (Undefined Code!) [**]
10/30-11:00:06.400939 12.162.189.27 -> 10.0.0.5
ICMP TTL:138 TOS:0x0 ID:20388 IpLen:20 DgmLen:56
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
10.0.0.5:137 -> 12.162.189.27:137
UDP TTL:116 TOS:0x0 ID:20388 IpLen:20 DgmLen:78
Len: 50

[**] ICMP Destination Unreachable (Undefined Code!) [**]
10/30-11:00:13.175725 12.162.189.27 -> 10.0.0.5
ICMP TTL:138 TOS:0x0 ID:20421 IpLen:20 DgmLen:56
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
10.0.0.5:137 -> 12.162.189.27:137
UDP TTL:116 TOS:0x0 ID:20421 IpLen:20 DgmLen:78
Len: 50

[**] ICMP Destination Unreachable (Undefined Code!) [**]
10/30-11:00:14.667340 12.162.189.27 -> 10.0.0.5
ICMP TTL:138 TOS:0x0 ID:20430 IpLen:20 DgmLen:56
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
10.0.0.5:137 -> 12.162.189.27:137
UDP TTL:116 TOS:0x0 ID:20430 IpLen:20 DgmLen:78
Len: 50

[**] ICMP Destination Unreachable (Undefined Code!) [**]
10/30-11:00:16.184812 12.162.189.27 -> 10.0.0.5
ICMP TTL:138 TOS:0x0 ID:20438 IpLen:20 DgmLen:56
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
10.0.0.5:137 -> 12.162.189.27:137
UDP TTL:116 TOS:0x0 ID:20438 IpLen:20 DgmLen:78
Len: 50



TTL expired 

[**] [1:450:4] ICMP Time-To-Live Exceeded in Transit (Undefined Code!) [**]
[Classification: Misc activity] [Priority: 3] 
10/29-18:17:44.536575 67.17.64.5 -> 10.0.0.5
ICMP TTL:247 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:11  Code:0  TTL EXCEEDED IN TRANSIT

[**] [1:450:4] ICMP Time-To-Live Exceeded in Transit (Undefined Code!) [**]
[Classification: Misc activity] [Priority: 3] 
10/29-18:17:45.653559 67.17.64.5 -> 10.0.0.5
ICMP TTL:247 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:11  Code:0  TTL EXCEEDED IN TRANSIT

[**] [1:450:4] ICMP Time-To-Live Exceeded in Transit (Undefined Code!) [**]
[Classification: Misc activity] [Priority: 3] 
10/29-18:17:50.308485 67.17.64.5 -> 10.0.0.5
ICMP TTL:247 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:11  Code:0  TTL EXCEEDED IN TRANSIT



Thanks


M. Bruyere





More information about the list mailing list