Date: Sun, 10 Sep 2000 11:38:50 -0700 From: Emmanuel Gravel <egravel@earthlink.net> To: freebsd-net@FreeBSD.ORG Subject: Re: Strange TTL Exceeded messages Message-ID: <200009101838.LAA01178@falcon.prod.itd.earthlink.net> In-Reply-To: <Pine.GSO.4.21.0009101217570.19891-100000@jah.bitstream.net > References: <200009101707.KAA06851@falcon.prod.itd.earthlink.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:21 PM 9/10/00 -0500, Dan Debertin wrote:
>On Sun, 10 Sep 2000, Emmanuel Gravel wrote:
>
>> Knowing I shouldn't have much (any) traffic on my system I ran ethereal
>> overnight to see what my firewall could and couldn't catch. Apart from the
>> usual querries on ports 139 and 137, I saw something strange. I recieved
>> about 20 TTL Exceeded messages from a host I never sent any info to
>> (according to the ethereal log) just past 3 this morning.
>
>Somebody (possibly you) was using traceroute. It uses ICMP
>TTL-exceded-in-transit and destination-unreachable messages to do its work
>(I won't explain how traceroute works here, but read any good TCP/IP book
>for more info).
At 3 AM I was fast asleep :) According to the ethereal logs, there were no
transmissions at all originating from me. And since it's in the non-routable
addresses, it must mean someone was sending this to me with forged
origin info. Something strange though. I have these rules in the firewall:
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from any to 10.0.0.0/8 out via ${oif}
and ipfw -a list gives
00600 0 0 deny ip from 10.0.0.0/8 to any via ep0
00700 18 1160 deny ip from any to 10.0.0.0/8 out xmit ep0
Keep in mind I did try pining the host, and tried a traceroute on it...
Just a quick question about this, I know the first number is the ifpw
rule sequence #. I believe the second is number of packets. So the
third, would it be number of bytes?
I did a timestamp on it, and it shows that rule 00700 was first logged
at 10 this morning. Also keep in mind that I restarted my rules a few
times... I know I shouldn't have, and checked them in more detail (to
see if the firewall actually dropped the packets). I'm not logging them,
so I'll start to now... Shouldn't get too much data though :)
I know that icmp ttl exceeded messages are common with a traceroute,
however why would I get so many from the same host (in a normal situation,
considering I would have actually done a traceroute, which isn't the case)?
Also, anyone know of anything running on port 27374? This, and any
setup connection from the outside (usually on port 139 :) just got blocked
a few minutes ago... Just trying to understand what kind of weird traffic is
coming in on my system :) Mind you, if it's not something known, it may
just be BO or Netbus trying in on a different port too... Wasn't dumping
packets when I got it...
Thanks!
Emmanuel
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009101838.LAA01178>