Strange ICMP Packets - Firewall Log

11 Feb 2002

      ...
From what I know an ICMP packet of type 3 is usually sent when the TTL
expires when attempting to deliver another packet. So it looks to me like as
if my computer has contacted 194.105.231.69 on the ports 6,18,22,23, ...
(maybe a port-scan?) and 152.63.18.61 replied to me using a type 3 icmp
Hi all:

When I looked into my firewall (iptables) log today, I saw the following
entries:

Feb 10 23:06:19 tux kernel: IN=eth0 OUT= MAC=XXX SRC=152.63.18.61 DST=XXX
LEN=56 TOS=0x00 PREC=0x00 TTL=238 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=XXX
DST=194.105.231.69 LEN=40 TOS=0x00 PREC=0x00 TTL=14 ID=61154 PROTO=TCP
SPT=1046 DPT=5 WINDOW=20438 RES=0x22 ACK SYN URGP=0 ]
Feb 10 23:06:19 tux kernel: IN=eth0 OUT= MAC=XXX SRC=152.63.18.61 DST=XXX
LEN=56 TOS=0x00 PREC=0x00 TTL=238 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=XXX
DST=194.105.231.69 LEN=40 TOS=0x00 PREC=0x00 TTL=14 ID=61154 PROTO=TCP
SPT=1046 DPT=6 WINDOW=0 RES=0x00 URGP=0 ]
Feb 10 23:06:19 tux kernel: IN=eth0 OUT= MAC=XXX SRC=152.63.18.61 DST=XXX
LEN=56 TOS=0x00 PREC=0x00 TTL=238 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=XXX
DST=194.105.231.69 LEN=40 TOS=0x00 PREC=0x00 TTL=14 ID=61154 PROTO=TCP
SPT=1046 DPT=18 WINDOW=0 RES=0x00 URGP=0 ]
Feb 10 23:06:19 tux kernel: IN=eth0 OUT= MAC=XXX SRC=152.63.18.61 DST=XXX
LEN=56 TOS=0x00 PREC=0x00 TTL=238 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=XXX
DST=194.105.231.69 LEN=40 TOS=0x00 PREC=0x00 TTL=14 ID=61154 PROTO=TCP
SPT=1046 DPT=22 WINDOW=0 RES=0x00 URGP=0 ]
Feb 10 23:06:19 tux kernel: IN=eth0 OUT= MAC=XXX SRC=152.63.18.61 DST=XXX
LEN=56 TOS=0x00 PREC=0x00 TTL=238 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=XXX
DST=194.105.231.69 LEN=40 TOS=0x00 PREC=0x00 TTL=14 ID=61154 PROTO=TCP
SPT=1046 DPT=23 WINDOW=0 RES=0x00 URGP=0 ]

packet.
Oddly enough, no one was at the computer at the time and moreover, why
would - if my computer failed to contact 194.105.231.69 (which resolves to
santa.northpole.is) - 152.63.18.61 (who is known as
209.ATM5-0.IG2.NYC4.ALTER.NET) respond??

Some time ago I received this (single) packet:

Feb  2 23:19:44 tux kernel: IN=eth0 OUT= MAC=XXX SRC=194.204.175.147 DST=XXX
LEN=56 TOS=0x00 PREC=0x00 TTL=239 ID=0 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX
DST=217.97.149.61 LEN=40 TOS=0x00 PREC=0x00 TTL=1 ID=60314 PROTO=TCP
SPT=1134 DPT=115 WINDOW=16707 RES=0x31 SYN FIN URGP=0 ]

So 194.204.175.147 (z.war-r2.do.ols-r1.tpnet.pl) reported to me that my
computer was supposed to send a packets with SYN and FIN flags set to
217.97.149.61 (pokemon.hasz.eu.org - yay) on port 115 (layer 2 tunnel)?

Could someone shed some light on this??
Thank you for your time!

Strange ICMP Packets - Firewall Log

Michael Stern