On Mon, 15 Feb 1999, Joseph Favia Jr. wrote:
:Hello,
:
:I've received a report from one site that their firewall (FW-1) is
:receiving an ICMP packet every minute from the same external address. The
:packet is of type 11 code 0, which should correspond to:
:
: type 11 = TIME EXCEEDED (0 : TTL=0 during transmit , 1 : TTL=0 during
:reassembly)
Another thing to look for would be RIP as the 1 minute interval
coresponds to a default RIP update timer. If your internal routes
have leaked out, or the same route (say 10/8) is routed inside
the AS you are in, the route could have timed out (90 sec after
route becomes unreachable) and it's metric has been set to infinity,
and thus attempts to reach it would result in an infinate hop count.
I believe this would cause time_exceeded messages also. Contact your
ISP and if the remote site is a customer, have the ISP contact them
and I believe your problem will be solved.
It would be helpful to know how many hops away the source of
the packets is, and whether they are connected to the same ISP
as you are. Also, using a sniffer, finding all traffic to and
from that source would give offer some clues as to what is
causing it. There may be legitimate traffic via one of your
proxies and the only thing being denied is the ICMP traffic.
Don't immediately rule out an attack, but my friend Paul once said
that any sufficiently advanced stupidity is indistinguishable from
malice. ;)
-j
--
jamie.reid
Chief Reverse Engineer
Superficial Intelligence Research Division
Defective Technologies
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
