[Dshield] Any ideas?

Niel van Niekerk niel at vanniekerk.net
Wed Sep 17 08:41:32 GMT 2003


Paul Marsh wrote:
> John:
> 
> 	200.32.99.66 is the source, xxx.xxx.xxx.xxx is the destination, the probes are directed at my MTA.
> 
> Thanx, Paul
> 
> -----Original Message-----
> From: John Sage [mailto:jsage at finchhaven.com]
> Sent: Tuesday, September 16, 2003 03:20 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] Any ideas?
--SNIPPED--
> Two:
> 
> 1) packets from your host/network can't reach their desired
> destination;
> 
> 2) someone is spoofing your IP as the source of a probe/Dos/DDos, and
> you're getting the backscatter.
> 
> If the format is of the usual sort, 3 = ICMP type = destination
> unreachable; 1 = ICMP code = host unreachable
> 
--SNIPPED--

Hi Paul,

That is correct according to John's explanation, a router/gateway on the 
path to the remote host, or the remote host itself (200.32.99.66) is 
telling your MTA that a destination host/port it tried to send packets 
to is not reachable.
The most likely explanation is that someone on your side adressed a mail 
to someone with a bad MX record, or dud mail server (John's #1). Another 
(less likely) explanation would be John's #2.

To confirm this you can perhaps check your mail logs around the time of 
these FW logs and identify undeliverables. (Assuming that your MTA is 
dedicated to its task and doesn't do other things as well.)

If it is the first case this is nothing to worry about and in the second 
you can worry if you want, but there is not much you can do about it, so 
why worry?

Google for RFC792 if you want to know more about ICMP.

HTH
Niël









More information about the list mailing list