Re: [leaf-user] What's this guy trying?

Mon, 14 Oct 2002 23:25:45 -0700 

On Tue, 2002-10-15 at 08:15, Ray Olszewski wrote:
> At 07:24 AM 10/15/02 +0200, Jon Clausen wrote:
> >On Mon, Oct 14, 2002 at 03:16:57PM -0700, Ray Olszewski wrote:
> >
> > > >1)... dunno what to make of that,
> > >
> > > Me either. Please provide the full line for the blocked packet (as you did
> > > with the second example,  below), not an uninterpretable fragment. This
> > > *could* just be icmp type 3, message 1 ("host unreachable"). Or it 
> > could be
> > > something else, since you don't tell us (for example) what the PROTO= 
> > value
> > > is..
> >
> >O.K. full log entry:
> >Oct 14 14:46:06 skilderhus kernel: Packet log: input DENY eth0 PROTO=1
> >10.131.224.1:3 62.243.222.62:1 L=56 S=0x00 I=41957 F=0x0000 T=243 (#9)
> 
> OK. It's what I guessed above ... an icmp "host unreachable" message. 
> There's probably a secret decoder ring for this stuff online somewhere, but 
> I use a book. Here's the pieces:
> 
>          PROTO=1 protocol 1 is icmp
>          10.131.224.1:3  10.131.224.1 is the source IP, of course;
>                          the "port" is the icmp message type, 3=Destination 
> unreachable
>          62.243.222.62:1 62.243.222.62 is the destination IP, as usual;
>                          the "port" is the icmp message code, 1=host 
> unreachable
> 
> Without seeing the content of the packet (which does not get logged), we 
> have no way to know what host this is about. If there is some IP address 
> (or block of them) you are having trouble reaching, this may be why. Or, 
> since the source address is a private address, it may be that someone has 
> his internal network misconfigured in a somewhat bizarre fashion, and you 
> are getting icmp packets that are replying to someone else's connection 
> attempts. Or (let's be paranoid for a moment) someone else is spoofing your 
> external IP address as the source of some packets, and you are getting the 
> replies.

Or worse, a system on you'r lan is infected with the ms-sql worm and
trying to propagate by scanning other hosts, of witch most is
unreachable, and you get a lot of error message naturally.

or hopefully im way off :)


mvh
Ronny Aasen




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to