From owner-freebsd-security Mon Nov 15 9:57:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id AE62F14A1F for ; Mon, 15 Nov 1999 09:57:21 -0800 (PST) (envelope-from JHowie@msn.com) Received: from x86nts4 - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Mon, 15 Nov 1999 09:57:16 -0800 Message-ID: <001f01bf2f93$ce326390$fd01a8c0@pacbell.net> From: "John Howie" To: "Francisco Reyes" , "Vladimir Dubrovin" Cc: References: <199911151329.IAA75221@sanson.reyes.somos.net> Subject: Re: Is this an attack? ICMP packets coming from my own IP Date: Mon, 15 Nov 1999 10:04:05 -0800 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6000 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Francisco, ----- Original Message ----- From: "Francisco Reyes" To: "Vladimir Dubrovin" Cc: Sent: Monday, November 15, 1999 5:26 AM Subject: Re: Is this an attack? ICMP packets coming from my own IP [STUFF DELETED] > > ipfw: 3100 Accept ICMP:0.0 204.71.200.245 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.3 216.145.30.3 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.13 155.232.17.2 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.3 16.1.0.18 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.3 204.123.2.18 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.3 209.192.217.104 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.1 144.232.9.142 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.3 207.240.212.43 207.240.140.102 out via tun0 > ICMP Type 3 packets are sent by a remote host to inform the local system that the destination is unreachable. The Code field elaborares: 0 = Network Unreachable 1 = Host Unreachable 2 = Protocol Unreacahable 3 = Port Unreacahble ... ... 13 = Communication administratively prohibited by filtering. If you have a lot of users trying to telnet, ftp, rsh, rexec, rlogin, etc... remote machines then these messages are quite common. If you have a lot of 3.3's from a single host, it is a good indication that someone is running a portscanner on your machine against that host. Your entries look *fairly* benign. Without timestamps and details of the processes attempting communications thatresulted in these messages, you can never be sure. > Any place I could read about ICMP packets? A search in google found mostly info from a list archive. I > will go over those messages tonight.. Try the ICMP RFC - 792, available from www.ietf.org Cheers, john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message