[Dshield] ICMP Destination Unreachable Fragmentation Needed and DFbit was set

Rob Webb PacketHunter at comcast.net
Mon Jan 31 20:04:06 GMT 2005


Joel,

I see this a lot when packets enter VPN tunnels.  If the tunnel adds a
header onto an already 1500 byte (IP Header + data) packet, it may exceed
the MTU for the segment it is entering.  The 209.149.96.22 would most likely
be a router or VPN device on the inbound (unencrypted) side.  However, what
I'm not sure about is the reference to the 68.158 address.  Is this the
source address in the original IP header (inside the ICMP data)?  Also, just
out of curiosity, what was the MTU that the packet said to change to...and
what was the size of the original packet? 


--Rob 


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Joel Esler
Sent: Monday, January 31, 2005 2:27 PM
To: General DShield Discussion List
Subject: [Dshield] ICMP Destination Unreachable Fragmentation Needed and
DFbit was set

Just received 6 alerts on Snort all from "209.149.96.22"..


ICMP Destination Unreachable Fragmentation Needed and DF bit was set,
apparently the original IP was: 68.158.0.203..  Anyone have any thoughts?

Joel
-------------- Sponsor Message ------------------------------------
SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
http://www.sans.org/orlando05

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list