Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 15 Nov 1999 10:04:05 -0800
From:      "John Howie" <JHowie@msn.com>
To:        "Francisco Reyes" <fran@reyes.somos.net>, "Vladimir Dubrovin" <vlad@sandy.ru>
Cc:        <freebsd-security@FreeBSD.ORG>
Subject:   Re: Is this an attack? ICMP packets coming from my own IP
Message-ID:  <001f01bf2f93$ce326390$fd01a8c0@pacbell.net>
References:  <199911151329.IAA75221@sanson.reyes.somos.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Francisco,

----- Original Message -----
From: "Francisco Reyes" <fran@reyes.somos.net>
To: "Vladimir Dubrovin" <vlad@sandy.ru>
Cc: <freebsd-security@FreeBSD.ORG>
Sent: Monday, November 15, 1999 5:26 AM
Subject: Re: Is this an attack? ICMP packets coming from my own IP

[STUFF DELETED]

>
> ipfw: 3100 Accept ICMP:0.0 204.71.200.245 207.240.212.43 in via tun0
> ipfw: 3100 Accept ICMP:3.3 216.145.30.3 207.240.212.43 in via tun0
> ipfw: 3100 Accept ICMP:3.13 155.232.17.2 207.240.212.43 in via tun0
> ipfw: 3100 Accept ICMP:3.3 16.1.0.18 207.240.212.43 in via tun0
> ipfw: 3100 Accept ICMP:3.3 204.123.2.18 207.240.212.43 in via tun0
> ipfw: 3100 Accept ICMP:3.3 209.192.217.104 207.240.212.43 in via tun0
> ipfw: 3100 Accept ICMP:3.1 144.232.9.142 207.240.212.43 in via tun0
> ipfw: 3100 Accept ICMP:3.3 207.240.212.43 207.240.140.102 out via tun0
>

ICMP Type 3 packets are sent by a remote host to inform the local system
that the destination is unreachable. The Code field elaborares:

    0 = Network Unreachable
    1 = Host Unreachable
    2 = Protocol Unreacahable
    3 = Port Unreacahble
    ...
    ...
    13 = Communication administratively prohibited by filtering.

If you have a lot of users trying to telnet, ftp, rsh, rexec, rlogin, etc...
remote machines then these messages are quite common. If you have a lot of
3.3's from a single host, it is a good indication that someone is running a
portscanner on your machine against that host.

Your entries look *fairly* benign. Without timestamps and details of the
processes attempting communications thatresulted in these messages, you can
never be sure.

> Any place I could read about ICMP packets? A search in google found mostly
info from a list archive. I
> will go over those messages tonight..

Try the ICMP RFC - 792, available from www.ietf.org

Cheers, john...






To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001f01bf2f93$ce326390$fd01a8c0>