From what I know an ICMP packet of type 3 is usually sent when the TTL
expires when attempting to deliver another packet. So it looks to me like
as
if my computer has contacted 194.105.231.69 on the ports 6,18,22,23, ...
(maybe a port-scan?) and 152.63.18.61 replied to me using a type 3 icmp
Hi there,
ICMP Type 3 means "destination unreachable", and the system u pasted,
152.63.18.61, is one of alternet's routers. The other system that
was apparently contacted by your computer (who knows why, tho...)
was obviously not reachable at the time of the connect, and thus one
of it's uplink routers sent a "destination unreachable" (#3),
subtype "host" (#1) to your computer.
I am not sure and have no indication about why that happens, tho.
hope that helps (at least a bit)
Cheers
Chris Burri
.-.
/v\ L I N U X
// \\ >I know KungFu!!<
/( )\
^^-^^
"Michael
Stern" An:
Thema: [suse-security] Strange ICMP Packets - Firewall Log
11.02.2002
11:10
Hi all:
When I looked into my firewall (iptables) log today, I saw the following
entries:
Feb 10 23:06:19 tux kernel: IN=eth0 OUT= MAC=XXX SRC=152.63.18.61 DST=XXX
LEN=56 TOS=0x00 PREC=0x00 TTL=238 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=XXX
DST=194.105.231.69 LEN=40 TOS=0x00 PREC=0x00 TTL=14 ID=61154 PROTO=TCP
SPT=1046 DPT=5 WINDOW=20438 RES=0x22 ACK SYN URGP=0 ]
Feb 10 23:06:19 tux kernel: IN=eth0 OUT= MAC=XXX SRC=152.63.18.61 DST=XXX
LEN=56 TOS=0x00 PREC=0x00 TTL=238 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=XXX
DST=194.105.231.69 LEN=40 TOS=0x00 PREC=0x00 TTL=14 ID=61154 PROTO=TCP
SPT=1046 DPT=6 WINDOW=0 RES=0x00 URGP=0 ]
Feb 10 23:06:19 tux kernel: IN=eth0 OUT= MAC=XXX SRC=152.63.18.61 DST=XXX
LEN=56 TOS=0x00 PREC=0x00 TTL=238 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=XXX
DST=194.105.231.69 LEN=40 TOS=0x00 PREC=0x00 TTL=14 ID=61154 PROTO=TCP
SPT=1046 DPT=18 WINDOW=0 RES=0x00 URGP=0 ]
Feb 10 23:06:19 tux kernel: IN=eth0 OUT= MAC=XXX SRC=152.63.18.61 DST=XXX
LEN=56 TOS=0x00 PREC=0x00 TTL=238 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=XXX
DST=194.105.231.69 LEN=40 TOS=0x00 PREC=0x00 TTL=14 ID=61154 PROTO=TCP
SPT=1046 DPT=22 WINDOW=0 RES=0x00 URGP=0 ]
Feb 10 23:06:19 tux kernel: IN=eth0 OUT= MAC=XXX SRC=152.63.18.61 DST=XXX
LEN=56 TOS=0x00 PREC=0x00 TTL=238 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=XXX
DST=194.105.231.69 LEN=40 TOS=0x00 PREC=0x00 TTL=14 ID=61154 PROTO=TCP
SPT=1046 DPT=23 WINDOW=0 RES=0x00 URGP=0 ]
packet.
Oddly enough, no one was at the computer at the time and moreover, why
would - if my computer failed to contact 194.105.231.69 (which resolves to
santa.northpole.is) - 152.63.18.61 (who is known as
209.ATM5-0.IG2.NYC4.ALTER.NET) respond??
Some time ago I received this (single) packet:
Feb 2 23:19:44 tux kernel: IN=eth0 OUT= MAC=XXX SRC=194.204.175.147
DST=XXX
LEN=56 TOS=0x00 PREC=0x00 TTL=239 ID=0 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX
DST=217.97.149.61 LEN=40 TOS=0x00 PREC=0x00 TTL=1 ID=60314 PROTO=TCP
SPT=1134 DPT=115 WINDOW=16707 RES=0x31 SYN FIN URGP=0 ]
So 194.204.175.147 (z.war-r2.do.ols-r1.tpnet.pl) reported to me that my
computer was supposed to send a packets with SYN and FIN flags set to
217.97.149.61 (pokemon.hasz.eu.org - yay) on port 115 (layer 2 tunnel)?
Could someone shed some light on this??
Thank you for your time!
--
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com
For additional commands, e-mail: suse-security-help@suse.com