> -----Original Message-----
> From: John Stewart [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, 30 November 1999 7:37 AM
> To: dayton
>
> You may want to review these:
>
> CERT (http://www.cert.org/incident_notes/IN-99-07.html) and
> SANS (http://www.sans.org/newlook/resources/flashadv.htm)
Alternatively, you could find something that has a vague relation to the
problem you're experiencing.
For those who don't have the time or inclination to read CERT or SANS
anymore, the first advisory relates to some distributed DoS tools and ways
to detect them. It is actually pretty interesting - thanks John. The second
is a description of ICMP ECHO_REPLY inverse mapping (mapping on
HOST-UNREACHABLEs) scans.
>
> dayton wrote:
> >
> > Okay recently I have had a large number of ICMP Port
> > Unreachables from a single host to our complete subnet,
> > especially to IP Addresses with no hosts.
> >
> > Any Ideas of this?
I can't think of a single useful thing that anyone could gain by sending you
ICMP port unreachables. It's not going to help with scanning, because the
spec says that you don't send anything in response to ICMP error msgs, even
if they're aimed at hosts that don't exist. This was a design decision to
avoid the horror of ICMP Type 3 Ping Pong.
It's hardly going to be a DoS because it doesn't take any time to drop 'em
at the perimeter.
In short, my first reaction would be that someone is a moron. My standard
paranoic response, however, is to check the packet body to see if they
contain any commands or suspicious looking data - there could be a Bad Thing
out there that uses a trojan which listens for ICMP errors as the activation
signal.
Cheers,
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
