This morning I found some strange activity in my firewall logs: (eth1 is our internal, trusted interface. We use all RFC1918 addresses on the internal I/F) 08/05 07:42:25 * 0 deny out eth1 icmp 152.201.116.255 204.167.22.152 3 3 (spoofed source address) 08/05 07:42:29 * 0 deny out eth1 icmp 152.201.116.255 204.167.22.48 3 3 (spoofed source address) 08/05 07:42:44 * 0 deny out eth1 icmp 152.201.116.255 199.72.55.80 3 3 (spoofed source address) We do have users with the AOL instant messenger installed. I have looked up the source address-- it is: 98C974FF.ipt.aol.com The destination addresses are owned by IDG International Publishing and NC Electric Membership Cooperation. Now, I understand that ICMP 3 is destination host unreachable. So it would stand to reason that the three destination hosts at some point tried to access the AOL address. Our firewall is configured to allow no incoming traffic, so I don't see how these hosts could be on our internal network. We have a relatively small shop, and I don't think anyone would even know how to change their IP, let alone have a reason to. So, is this something anyone else has seen? I have a suspicion that it is related to the AIM client, seeing that all three packets came from an AOL address space. (BTW, this particular area of space is where the AIM client connects). Is this an indication that someone has 'broken' the AIM client? I'd love any insight to this weirdness. Thanks a lot, Dan Lenhard Systems Admin [EMAIL PROTECTED] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
