For the last few days, my Bering firewall has been hit with ICMP/TCP traffic. There were TCP and UDP packets but the largest were TCP anc ICMP INCOMPLETE messages:
Jan 21 03:49:33 firewall kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:a0:cc:d0:d8:6d:00:c0:73:06:48:50:08:00 SRC=212.143.43.49 DST=24.219.28.75 LEN=56 TOS=0x00 PREC=0x00 TTL=114 ID=41705 PROTO=ICMP TYPE=11 CODE=1 [SRC=24.219.28.75 DST=212.143.43.49 LEN=828 TOS=0x00 PREC=0x00 TTL=112 ID=0 MF PROTO=TCP INCOMPLETE [8 bytes] ] They all started after this log message from Bering Jan 21 01:27:47 firewall root: The /etc/shorewall/pump script is called with arg renewal eth0 24.219.28.75 Jan 21 01:27:47 firewall root: shorewall restarted by pump.shorewall Jan 21 01:27:48 firewall root: Shorewall Refreshed Was my firewall the subject of a DOS attack? I've figured out that ICMP Type 11 is ICMP Time Exceeded. Through some research I found this article (http://www.networkmagazine.com/article/NMG20000829S0003) about ICMP attacks so it seems plausible it was an attack. I also have ZoneAlarm installed on my Windoze desktop to block certain programs from accessing the net and it picked up ICMP Unreachable packets around the same time that isn't in my Bering logs. According to some other articles, ICMP Unreachable (type 3) can be used for DOS. Somebody even published source to write a program to create a DOS using ICMP Unreachable. I am going to set up a file and print server using Samba soon so I will need to shut down Zone Alarm. Should I be concerned about the ICMP Unreachable DOS? Thanks for your input. Minh __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
