I'm seeing ICMP 3 and 11 messages from locations to which there was no traffic from the server. Most are from China (219.158.x.x, 221.13.x.x) but also from Italy and Austria. Any idea why this would be happening?
Thanks, nf
Perhaps someone is scanning those networks with the spoofed source address of your box. This can be done i.e. with a technic named idlescan, see
Yours, VB.
You'd have to look at the contents of the ICMP packets, but ICMP type 11 (Time Exceeded) is normally associated with traceroute. As such, they might occur about a second apart, three from each address. ICMP type 3 is a 'Destination Unreachable', but you'd have to look at the code number to see how. If associated with type 11s, I'd expect to see type 3 code 3 from a UNIX based traceroute, and type 3 code 1 (and possibly code 0) from a firewalled setup, or the results of a windoze TRACERT.
If you are positive that no one is using traceroute/TRACERT from your network, someone outside is spoofing your address as the source, and about all you can do is ignore the crap. RFC0792 states that
To avoid the infinite regress of messages about messages etc., no ICMP messages are sent about ICMP messages.
so you can't even inform the remote host that it is being DOSed.
Old guy
Thanks much for that URL. It doesn't seem likely to me that idlescan would produce an ICMP 11, but reading about defenses prompted me to look through a couple of log files where I found some interesting entries. I had a bunch of hits on 139 and 445 from a 192.168.x.x IP, and a lone hit on 80 from a
10.x.x.x IP. The hit on 80 didn't create an entry in my webserver log. And here I'd thought there were filters to keep private network requests from traversing the internet.nf
In article , nutso fasst wrote: :I had a bunch of :hits on 139 and 445 from a 192.168.x.x IP, and a lone hit on 80 from a :10.x.x.x IP. The hit on 80 didn't create an entry in my webserver log. And :here I'd thought there were filters to keep private network requests from :traversing the internet.
The RFC1918 standards say that networks shall not allow such traffic out of their local area... but in practice quite a number of sites do, some saying that it would "slow down traffic" to put access controls on outgoing traffic.
Thanks. Apparently someone's spoofing, because the ICMP 11s are isolated events. I've been getting an 11 or 3 every few hours, most recently a 3 from Arab Emirates. Most are to IPs with no outbound traffic. My firewall doesn't give the code so I'm not sure how to get it. Netbios and tools aren't bound to the NIC. Seems it doesn't really matter anyway.
nf
I suspect the plethora of forged-return-address mail from zombies slows traffic more, and it seems that ISPs who fail to filter traffic from obviously-phony IPs could be accessories to crime.
nf
Sounds like it's down in the noise level - I'd just ignore it.
You don't mention what firewall, and/or what O/S. With any *nix, I'd use 'tcpdump -n -s 100 -v icmp' as a starting point.
A couple packets per hour is just noise - especially when there really isn't that much you can do about it.
Old guy
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.