Date: Mon, 15 Nov 1999 10:04:05 -0800 From: "John Howie" <JHowie@msn.com> To: "Francisco Reyes" <fran@reyes.somos.net>, "Vladimir Dubrovin" <vlad@sandy.ru> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: Is this an attack? ICMP packets coming from my own IP Message-ID: <001f01bf2f93$ce326390$fd01a8c0@pacbell.net> References: <199911151329.IAA75221@sanson.reyes.somos.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Francisco, ----- Original Message ----- From: "Francisco Reyes" <fran@reyes.somos.net> To: "Vladimir Dubrovin" <vlad@sandy.ru> Cc: <freebsd-security@FreeBSD.ORG> Sent: Monday, November 15, 1999 5:26 AM Subject: Re: Is this an attack? ICMP packets coming from my own IP [STUFF DELETED] > > ipfw: 3100 Accept ICMP:0.0 204.71.200.245 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.3 216.145.30.3 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.13 155.232.17.2 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.3 16.1.0.18 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.3 204.123.2.18 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.3 209.192.217.104 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.1 144.232.9.142 207.240.212.43 in via tun0 > ipfw: 3100 Accept ICMP:3.3 207.240.212.43 207.240.140.102 out via tun0 > ICMP Type 3 packets are sent by a remote host to inform the local system that the destination is unreachable. The Code field elaborares: 0 = Network Unreachable 1 = Host Unreachable 2 = Protocol Unreacahable 3 = Port Unreacahble ... ... 13 = Communication administratively prohibited by filtering. If you have a lot of users trying to telnet, ftp, rsh, rexec, rlogin, etc... remote machines then these messages are quite common. If you have a lot of 3.3's from a single host, it is a good indication that someone is running a portscanner on your machine against that host. Your entries look *fairly* benign. Without timestamps and details of the processes attempting communications thatresulted in these messages, you can never be sure. > Any place I could read about ICMP packets? A search in google found mostly info from a list archive. I > will go over those messages tonight.. Try the ICMP RFC - 792, available from www.ietf.org Cheers, john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001f01bf2f93$ce326390$fd01a8c0>