Would it be possible for these packets to actually be responces to someone
INTERNALLY doing one of these scans from inside, to someone outside, the
organization?
Just curious.
>From: Ben Nagy <[EMAIL PROTECTED]>
>To: "'John Stewart'" <[EMAIL PROTECTED]>, dayton
><[EMAIL PROTECTED]>
>CC: [EMAIL PROTECTED]
>Subject: RE: Strange Occurance of ICMP's
>Date: Tue, 30 Nov 1999 10:48:17 +1030
>
>
> > -----Original Message-----
> > From: John Stewart [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, 30 November 1999 7:37 AM
> > To: dayton
> >
> > You may want to review these:
> >
> > CERT (http://www.cert.org/incident_notes/IN-99-07.html) and
> > SANS (http://www.sans.org/newlook/resources/flashadv.htm)
>
>Alternatively, you could find something that has a vague relation to the
>problem you're experiencing.
>
>For those who don't have the time or inclination to read CERT or SANS
>anymore, the first advisory relates to some distributed DoS tools and ways
>to detect them. It is actually pretty interesting - thanks John. The second
>is a description of ICMP ECHO_REPLY inverse mapping (mapping on
>HOST-UNREACHABLEs) scans.
>
> >
> > dayton wrote:
> > >
> > > Okay recently I have had a large number of ICMP Port
> > > Unreachables from a single host to our complete subnet,
> > > especially to IP Addresses with no hosts.
> > >
> > > Any Ideas of this?
>
>I can't think of a single useful thing that anyone could gain by sending
>you
>ICMP port unreachables. It's not going to help with scanning, because the
>spec says that you don't send anything in response to ICMP error msgs, even
>if they're aimed at hosts that don't exist. This was a design decision to
>avoid the horror of ICMP Type 3 Ping Pong.
>
>It's hardly going to be a DoS because it doesn't take any time to drop 'em
>at the perimeter.
>
>In short, my first reaction would be that someone is a moron. My standard
>paranoic response, however, is to check the packet body to see if they
>contain any commands or suspicious looking data - there could be a Bad
>Thing
>out there that uses a trojan which listens for ICMP errors as the
>activation
>signal.
>
>Cheers,
>
>--
>Ben Nagy
>Network Consultant, CPM&S Group of Companies
>PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
