Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: spoofed ICMP 3/1's - what is the tool or goal here?
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: spoofed ICMP 3/1's - what is the tool or goal here?
  • From: Erik Fichtner <[EMAIL PROTECTED]>
  • Date: Sun, 14 Jan 2001 23:14:30 +0100
  • In-reply-to: <[EMAIL PROTECTED]>
.
 
On Sun, Jan 14, 2001 at 02:50:51PM -0600, slim bones wrote:
> Although that's annoying, it's not going to hurt anything.  Whoever's
> doing it can't gain any information from this activity.  By itself it's
> not a threat.  However, it could be intended as a distraction from other
> activity against your net.

It might also be fallout from someone spoofing your addresses to probe or
DoS the "BAD.GUY.NET.NODE" network..     You might want to capture some of
those packets with a sniffer and decode the payload of the icmp error.
That will give you a clue as to what packet caused the remote end to emit
an icmp 3/1 host unreachable..

> > Jan  5 01:04:46 icmp BAD.GUY.NET.NODE -> my.net.76.19 (3/1), 119 packets
> > Jan  5 01:05:00 icmp BAD.GUY.NET.NODE -> my.net.92.8 (3/1), 1 packet
> > Jan  5 01:05:09 icmp BAD.GUY.NET.NODE -> my.net.185.13 (3/1), 1 packet

--
                        Erik Fichtner; Unix Ronin
                    http://www.obfuscation.org/techs/
"The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself.  Therefore, all progress
depends on the unreasonable." -- George Bernard Shaw
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.