Re: spoofed ICMP 3/1's - what is the tool or goal here?

[slim bones <[EMAIL PROTECTED]>]

> From: Erik Fichtner <[EMAIL PROTECTED]>
> It might also be fallout from someone spoofing your addresses to probe or
> DoS the "BAD.GUY.NET.NODE" network..     You might want to capture some of
> those packets with a sniffer and decode the payload of the icmp error.
> That will give you a clue as to what packet caused the remote end to emit
> an icmp 3/1 host unreachable..

Both of these explanations are more likely than having someone intentionally
distract you with this trace :-]  A packet capture is the way to go.  If you
get one, I'd like a peek -

Someone is probably using decoy addresses out of your IP space.  Using
decoys, a probe aimed at a nonexistant IP will cause host unreachables
to be sent to the decoys. [0]  Regarding DoS of the victim net, the host
unreachables would be generated when some of the DoS traffic can't make it
to its destination (because of the DoS attack).  And since they're spoofing
your address space, you get the ICMP errors.

As far as a threat to your site goes, these are just annoyances unless this
traffic increases and eats up your bandwidth :-<

s.b

[0] An aside ... for a decoy probe of an IP that does exist there would
also be some other traffic coming to the decoys.  An nmap syn scan with
decoys will have the decoy systems seeing Syn-Acks and Rst-Acks from the
victim.  The decoy will also dole out a few RSTs of its own upon receiving
this traffic.

>
> > > Jan  5 01:04:46 icmp BAD.GUY.NET.NODE -> my.net.76.19 (3/1), 119 packets
> > > Jan  5 01:05:00 icmp BAD.GUY.NET.NODE -> my.net.92.8 (3/1), 1 packet
> > > Jan  5 01:05:09 icmp BAD.GUY.NET.NODE -> my.net.185.13 (3/1), 1 packet