[Dshield] Any ideas?

Paul Marsh pmarsh at nmefdn.org
Tue Sep 16 19:33:13 GMT 2003


John:

	200.32.99.66 is the source, xxx.xxx.xxx.xxx is the destination, the probes are directed at my MTA.

Thanx, Paul

-----Original Message-----
From: John Sage [mailto:jsage at finchhaven.com]
Sent: Tuesday, September 16, 2003 03:20 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Any ideas?


Paul:

On Tue, Sep 16, 2003 at 09:25:18AM -0400, Paul Marsh wrote:
> Checking my logs this morning I've found the following.  The IP
> belongs to an Argentinean ISP but that really does mean anything.
> Anyone have any ideas?

Two:

1) packets from your host/network can't reach their desired
destination;

2) someone is spoofing your IP as the source of a probe/Dos/DDos, and
you're getting the backscatter.

If the format is of the usual sort, 3 = ICMP type = destination
unreachable; 1 = ICMP code = host unreachable


> 09/16/2003 09:07:34.096 ICMP packet dropped 200.32.99.66, 3, WAN
> xxx.xxx.xxx.xxx, 1, LAN 'Dest Unreachable' 33 
> 09/16/2003 08:52:13.080 ICMP packet dropped 200.32.99.66, 3, WAN
> xxx.xxx.xxx.xxx, 1, LAN 'Dest Unreachable' 33 
> 09/16/2003 08:36:52.048 ICMP packet dropped 200.32.99.66, 3, WAN
> xxx.xxx.xxx.xxx, 1, LAN 'Dest Unreachable' 33 
> 09/16/2003 08:31:41.800 ICMP packet dropped 200.32.99.66, 3, WAN
> xxx.xxx.xxx.xxx, 1, LAN 'Dest Unreachable' 33  


- John
-- 
"Warning: time of day goes back, taking countermeasures."
John Sage
InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this message is privileged communication. If you read it
even though you aren't supposed to, you're a poopy-head.

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list