[Dshield] Sanity check
stephane.nasdrovisky at paradigmo.com
Wed Oct 13 16:48:16 GMT 2004
Esler, Joel - Contractor wrote:
>Correct, however, no traceroute was conducted, there is no other traffic
>present during this time period to or from this IP.
Note that most icmp errors comes from ip addresses different than the
source and destination addresses of the original packet (i.e. the router
with ip 126.96.36.199 may send an icmp error(1) for a packet sent from 188.8.131.52
It could be some kind of backscatter traffic (someone is spoofing you
address), the packet is blocked for some reason, and you get the icmp
message that explain why a router dropped the spoofed packet.
>Esler, Joel - Contractor wrote:
>>What would be the point of an unsolicited ICMP time exceeded in transit?
It may mean the spoofer is too far from its target (255 hops, or even
lower if the spoofer is some kind of script kiddie) or he tries to use
some kind of source routing (which increase the required ttl).
"ICMP time exceeded in transit" is usually solicited, the only (I
think) way to know for sure is by asking the original packet destination
(which should be copied in the icmp payload, along with all the ip
headers of this packet) if he's under dos. If you see a lot of syn/ack
or rst packet coming from this original packet destination, chances are
he's under dos(2).
1: ttl, net unreachable, administratively prohibited (=acl), source
quench (= net congestion), port unavailable (=udp service do not exist
on the destination host)
2: not the old ms toy, but a "denial of service" attack.
More information about the list