[Dshield] TTL expired... port unreach... (long)

Timm, Kevin TimmK at netsolve.net
Thu Oct 30 23:00:34 GMT 2003


 
How far is your network from 12.152.189.27 ? According to the TTL of the
port unreachable about ~120 hops which is excessive. 
According to the initiator about 12 hops. There is some sort of
inconsistancy that could point to network problems or spoofing. 
Kevin 




-----Original Message-----
From: Bruyere, Michel [mailto:mbruyere at ezemcanada.com]
Sent: Thursday, October 30, 2003 3:05 PM
To: General DShield Discussion List
Subject: [Dshield] TTL expired... port unreach... (long)


Hi, 
	Snort is actually reporting me a lot of TTL expired and Destination
Port unreachable. It's coming from about 10 to 15 diff. sources. I figured
that this could be some backscatters of spoofed attacks? I would like to
have your thoughts about this from the "gurus" you are ;) 

Here is a sample of the Snort's alert (from a single source) 



ICMP dest unreachable

[**] ICMP Destination Unreachable (Undefined Code!) [**]
10/30-11:00:03.428845 12.162.189.27 -> 10.0.0.5
ICMP TTL:138 TOS:0x0 ID:20373 IpLen:20 DgmLen:56
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
10.0.0.5:137 -> 12.162.189.27:137
UDP TTL:116 TOS:0x0 ID:20373 IpLen:20 DgmLen:78
Len: 50

[**] ICMP Destination Unreachable (Undefined Code!) [**]
10/30-11:00:04.898750 12.162.189.27 -> 10.0.0.5
ICMP TTL:138 TOS:0x0 ID:20380 IpLen:20 DgmLen:56
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
10.0.0.5:137 -> 12.162.189.27:137
UDP TTL:116 TOS:0x0 ID:20380 IpLen:20 DgmLen:78
Len: 50

[**] ICMP Destination Unreachable (Undefined Code!) [**]
10/30-11:00:06.400939 12.162.189.27 -> 10.0.0.5
ICMP TTL:138 TOS:0x0 ID:20388 IpLen:20 DgmLen:56
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
10.0.0.5:137 -> 12.162.189.27:137
UDP TTL:116 TOS:0x0 ID:20388 IpLen:20 DgmLen:78
Len: 50

[**] ICMP Destination Unreachable (Undefined Code!) [**]
10/30-11:00:13.175725 12.162.189.27 -> 10.0.0.5
ICMP TTL:138 TOS:0x0 ID:20421 IpLen:20 DgmLen:56
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
10.0.0.5:137 -> 12.162.189.27:137
UDP TTL:116 TOS:0x0 ID:20421 IpLen:20 DgmLen:78
Len: 50

[**] ICMP Destination Unreachable (Undefined Code!) [**]
10/30-11:00:14.667340 12.162.189.27 -> 10.0.0.5
ICMP TTL:138 TOS:0x0 ID:20430 IpLen:20 DgmLen:56
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
10.0.0.5:137 -> 12.162.189.27:137
UDP TTL:116 TOS:0x0 ID:20430 IpLen:20 DgmLen:78
Len: 50

[**] ICMP Destination Unreachable (Undefined Code!) [**]
10/30-11:00:16.184812 12.162.189.27 -> 10.0.0.5
ICMP TTL:138 TOS:0x0 ID:20438 IpLen:20 DgmLen:56
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
10.0.0.5:137 -> 12.162.189.27:137
UDP TTL:116 TOS:0x0 ID:20438 IpLen:20 DgmLen:78
Len: 50



TTL expired 

[**] [1:450:4] ICMP Time-To-Live Exceeded in Transit (Undefined Code!) [**]
[Classification: Misc activity] [Priority: 3] 
10/29-18:17:44.536575 67.17.64.5 -> 10.0.0.5
ICMP TTL:247 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:11  Code:0  TTL EXCEEDED IN TRANSIT

[**] [1:450:4] ICMP Time-To-Live Exceeded in Transit (Undefined Code!) [**]
[Classification: Misc activity] [Priority: 3] 
10/29-18:17:45.653559 67.17.64.5 -> 10.0.0.5
ICMP TTL:247 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:11  Code:0  TTL EXCEEDED IN TRANSIT

[**] [1:450:4] ICMP Time-To-Live Exceeded in Transit (Undefined Code!) [**]
[Classification: Misc activity] [Priority: 3] 
10/29-18:17:50.308485 67.17.64.5 -> 10.0.0.5
ICMP TTL:247 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:11  Code:0  TTL EXCEEDED IN TRANSIT



Thanks


M. Bruyere


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list