Strange Etherswitch Traffic

Lois Lehman LOIS.LEHMAN at asu.edu
Wed Sep 10 23:33:47 GMT 2003


While looking at ourSnort logs for yesterday's activity, I came across these
entries involving two different etherswitches trying to communicate with a
device at the Internet Software Consortium.  Can anyone explain what is
happening here?
 
 
 
[**] [1:485:2] ICMP Destination Unreachable 
(Communication Administratively Proh
ibited) [**]
[Classification: Misc activity] [Priority: 3] 
09/09-00:39:17.645323 212.76.224.253 -> 129.219.xx.xxx
ICMP TTL:238 TOS:0x0 ID:56874 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: 
ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
129.219.xx.xxx:1599 -> 204.152.184.189:6914
TCP TTL:125 TOS:0x0 ID:256 IpLen:20 DgmLen:40
Seq: 0x4B8E0000  Ack: 0x41434143
** END OF DUMP
 
 
 
[**] [1:472:1] ICMP redirect host [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
09/09-03:21:17.948447 65.104.98.146 -> 129.219.xx.xxx
ICMP TTL:47 TOS:0x0 ID:14084 IpLen:20 DgmLen:56
Type:5  Code:1  REDIRECT HOST NEW GW: 65.104.98.145
** ORIGINAL DATAGRAM DUMP:
129.219.xx.xxx:0 -> 204.152.184.189:0
TCP TTL:127 TOS:0x0 ID:256 IpLen:20 DgmLen:40
** END OF DUMP
[Xref => 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-02
65][Xref => ht
tp://www.whitehats.com/info/IDS135]
 
[**] [1:472:1] ICMP redirect host [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
09/09-03:21:21.002106 65.104.98.146 -> 129.219.xx.xxx
ICMP TTL:47 TOS:0x0 ID:26856 IpLen:20 DgmLen:56
Type:5  Code:1  REDIRECT HOST NEW GW: 65.104.98.145
** ORIGINAL DATAGRAM DUMP:
129.219.xx.xxx:0 -> 204.152.184.189:0
TCP TTL:127 TOS:0x0 ID:256 IpLen:20 DgmLen:40
** END OF DUMP
 
Thanks for any insights you might be able to offer.
 
Regards,
Lois
 
 
Lois Lehman
College Network Security Manager
Physical Sciences Computer Support Manager
College of Liberal Arts & Sciences
Arizona State University
480-965-3139
 


More information about the unisog mailing list