[Dshield] Any ideas?
Niel van Niekerk
niel at vanniekerk.net
Wed Sep 17 08:41:32 GMT 2003
Paul Marsh wrote:
> 126.96.36.199 is the source, xxx.xxx.xxx.xxx is the destination, the probes are directed at my MTA.
> Thanx, Paul
> -----Original Message-----
> From: John Sage [mailto:jsage at finchhaven.com]
> Sent: Tuesday, September 16, 2003 03:20 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Any ideas?
> 1) packets from your host/network can't reach their desired
> 2) someone is spoofing your IP as the source of a probe/Dos/DDos, and
> you're getting the backscatter.
> If the format is of the usual sort, 3 = ICMP type = destination
> unreachable; 1 = ICMP code = host unreachable
That is correct according to John's explanation, a router/gateway on the
path to the remote host, or the remote host itself (188.8.131.52) is
telling your MTA that a destination host/port it tried to send packets
to is not reachable.
The most likely explanation is that someone on your side adressed a mail
to someone with a bad MX record, or dud mail server (John's #1). Another
(less likely) explanation would be John's #2.
To confirm this you can perhaps check your mail logs around the time of
these FW logs and identify undeliverables. (Assuming that your MTA is
dedicated to its task and doesn't do other things as well.)
If it is the first case this is nothing to worry about and in the second
you can worry if you want, but there is not much you can do about it, so
Google for RFC792 if you want to know more about ICMP.
More information about the list