[Dshield] Sanity check

stephane nasdrovisky stephane.nasdrovisky at paradigmo.com
Wed Oct 13 16:48:16 GMT 2004


Esler, Joel - Contractor wrote:

>Correct, however, no traceroute was conducted, there is no other traffic
>present during this time period to or from this IP. 
>
Note that most icmp errors comes from ip addresses different than the 
source and destination addresses of the original packet (i.e. the router 
with ip 1.2.3.4 may send an icmp error(1) for a packet sent from 2.3.4.5 
to 3.4.5.6)
It could be some kind of backscatter traffic (someone is spoofing you 
address), the packet is blocked for some reason, and you get the icmp 
message that explain why a router dropped the spoofed packet.

>Esler, Joel - Contractor wrote:
>  
>
>>What would be the point of an unsolicited ICMP time exceeded in transit?
>>
It may mean the spoofer is too far from its target (255 hops, or even 
lower if the spoofer is some kind of script kiddie) or he tries to use 
some kind of source routing (which increase the required ttl).
"ICMP time exceeded in transit" is usually solicited,  the only (I 
think) way to know for sure is by asking the original packet destination 
(which should be copied in the icmp payload, along with all the ip 
headers of this packet) if he's under dos. If you see a lot of syn/ack 
or rst packet coming from this original packet destination, chances are 
he's under dos(2).

1: ttl, net unreachable, administratively prohibited (=acl), source 
quench (= net congestion), port unavailable (=udp service do not exist 
on the destination host)
2: not the old ms toy, but a "denial of  service" attack.



More information about the list mailing list