Re: Weird!

• Previous message: Marius Huse Jacobsen: "Re[2]: Weird!"
• In reply to: Kostas K: "Re: Weird!"
• Next in thread: Claus Norrbohm: "Re: Weird!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: focus-linux@securityfocus.com
Date: Tue, 06 Jul 2004 18:47:54 -0400

On Tue, 2004-07-06 at 17:18, Kostas K wrote:
> In-Reply-To: <20040706184555.B13533@planetcobalt.net>
>
> I am using emule specificaly, so the src=xxx.xx.xxx.xxx sent me an ICMP 3-0 indicating that src=aa.aaa.aaa.aaa (which is my ip address) cannot access dst=192.168.1.100.
>
> I am have a LAN (3 pcs) but why this is happening?
>

Just some possibilities:

If you're certain that the the stimulus is not originating from your
net, then it's also possible, though unlikely, that someone is using
your public IP as the source address of their SYN request. The ICMP
reply would get routed to you even though you didn't send the SYN.

There are a variety of reasons for doing this. One is to obfuscate an
attacker's real source address in a cloud of fake source addresses. All
of the packets get replies but only the one with the attacker's source
address gets back to them. The others go "back" to their sources. This
makes it harder to track down where a scan is coming from. Nmap has this
functionality.

The simpler explanation is that someone has a misconfigured gateway and
is routing RFC1918 addresses onto the Internet.

And the simplest explanation is that you are routing RFC1918 addresses
onto the Internet. Of course, none of us has ever does that before.

One way to test for this is to run tcpdump on your firewall and filter
for "net 192.168.0.0/16 or icmp" on your outside interface. Anything
getting out is a problem. Anything getting out and paired with ICMP
replies is a probable culprit.

Sorry if I'm being pedantic.

Jeff

• Previous message: Marius Huse Jacobsen: "Re[2]: Weird!"
• In reply to: Kostas K: "Re: Weird!"
• Next in thread: Claus Norrbohm: "Re: Weird!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: ICMP (Ping) ... You are correct about the kinder and gentler internet. ... network to deal with I might share your opinion. ... I believe you meant ICMP echo ... Subject: ICMP (Ping) ... (Security-Basics) Re: Windows Server 2003 and ICF on a domain controller ... internet then enable ICF only on this card. ... It is not recommended configuration if you enable ICF on DC towards your ... Also note that blocking ICMP ... Still if you would like a list of ports and protocols here it is ... (microsoft.public.windows.server.general) Re: Removing ping/icmp from a network ... OrgName: Internet Assigned Numbers Authority ... > ICMP is allowed throughout most Internet routers, ... > manage the server of course). ... > if they can ping it or not if they can't access their data through SSL ... (Security-Basics) Re: Router Firewall Einstellungen ... > - does not respond to Ping on Internet Port ... Reaktion auf ICMP Typ 8? ... > verbindungsaufbauten aus deinem netz ins internet durchlassen wird. ... Wenn du UPnP aktivierst, kann sich jeder Eindringling bei deiner ... (de.comp.security.firewall) Help! ISA install failure in CEICW ... Because he has most everyone in non default OUs, no one has Internet users ... I looked in ISA server mgt console: ... ICMP ping response ... (microsoft.public.windows.server.sbs)