Re: [FW1] RE: icmp-type8 icmp code 0

Fri, 23 Jun 2000 06:52:41 -0700 

                      
       (Embedded      
      image moved     
       to file:       
     pic15779.pcx)    
                      

Actually, it could have been an attempt to map the entire network.  Pinging the
broadcast address will elicit a response from all the systems currently up and
active on the network.  This is also the basis for a smurf attack -- ping the
broadcast address repeatedly using a spoofed source IP and the spoofed source
will get flooded with echo-replies, leading to a possible denial of service.

Cheers,

Dan

-------------------------------------------------------------------------------
Daniel R. (Dan) Dunn, EE
Sr. INFOSEC Engineer, GRC Int'l (an AT&T company)
OSD-ITD Firewall Administrator
p: 703-614-8086, ext 300

The opinions expressed by the author are entirely his own, and
do not reflect those of AT&T, GRCI, Inc., or their subsidiaries,
nor do they reflect policy, opinion, or endorsement by the
US Department of Defense or any of its agencies.

-------------- In Response to  --------------


From:     Joerg Major <[EMAIL PROTECTED]> on 06/23/2000 08:41 AM

To:  Majordomo fw-1-mailinglist <[EMAIL PROTECTED]>
cc:
Subject:  [FW1] RE: icmp-type8 icmp code 0




Hi Zinc,

that

�s typically a ping. The destination address is a bit confusing
because it is a broadcast address not a host IP address. May be there is a
misconfigured router or something like this. It should be dropped anyway.
icmp-type8 icmp code 0 means "echo reply"
Have a look to
http://www.networksorcery.com/enp/protocol/icmp.htm

Hope this helps.

---Joerg---


> Hi Checkpoint Gurus!
>
> I have a log in my firewall originally from:
>
> Source: srv1a.pal.va.es
> destination: x.w.y.255
> proto. : icmp
> rule : 17 (any any drop)
> s.port : none
> Description: icmp-type8 icmp code 0
>
> I had already check this out below, but I still don't really quite
> understand what is this guy try to do.
>
> ICMP TYPE NUMBERS
>
> The Internet Control Message Protocol (ICMP) has many messages that
> are identified by a "type" field.
>
> 8       Echo                                     [RFC792]
>
>   8     Echo                                     [RFC792]
>
>         Codes
>             0  No Code
>
>
> Please help me.
>
> Thank you.
>
> zinc
>


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

pic15779.pcx

Reply via email to