Re: Interesting fw log: "ICMP type 3 not embeddable"

From: Michael Heiming (michael+USENET@heiming.de)
Date: 06/16/02


From: Michael Heiming <michael+USENET@heiming.de>
Date: Sun, 16 Jun 2002 13:00:14 +0200

RainbowHat (<7TYXMKSI0YVW1112VWK0WHBYnHiATlE@blackhole.mit.edu>):

> < Michael Heiming
>
>>Jun 15 00:38:16 host kernel: invalid IN=ppp0 OUT= MAC=
>>SRC=217.89.16.115 DST=My.external.IP
>>LEN=56 TOS=0x00 PREC=0x00 TTL=56 ID=30304 PROTO=ICMP TYPE=3 CODE=3
>
> RFC760: Type 3 = destination unreachable, Code 3 = port
> unreachable
> 217.89.16.115 pD9591073.dip.t-dialin.net
> (DTAG-DIAL14) Deutsche Telekom AG

Yes, observed this, probably a dialup/DSL connection, however
logging stopped about 10h after it started. Long before I changed
my firewall, concerning invalid packets (added the --reject-with),
due to Ian's advice.

$IPTABLES -A invalid -j REJECT -j LOG --log-prefix "INVALID "
--reject-with icmp-port-unreachable

So I'm not sure if this really was the reason, I'll keep an eye on
it.
[..]

> Someone send source IP spoofed 172.20.10.1 TCP or UDP packet to
> your box. Your box did not log this incoming packet and REJECT the
> packet. The REJECT-ed ICMP 3 3 embedded TCP or UDP packet went to
> upper stream router of 217.89.16.115. The router was
> mis-implemented|configured and responded ICMP 3 embedded ICMP 3
> packet to your box. Your box logged this malformed packet and you
> observed it.

That what I initially thought about the event too. Thx for
answering, looks like there're some more things to learn about
iptables...;-)

Michael Heiming

--
Remove the +SIGNS case mail bounces.



Relevant Pages

  • Re: unexpected ICMP host unreachable - no worries?
    ... an attack?". ... You observed ICMP backscatter traffic. ... I'm guessing this packet is remote controlling command to distributed ... easily relate that outgoing scan or outbound flood packets after detect ...
    (comp.os.linux.security)
  • Re: Why some hosts in Internet not prefer to be traceroute-d ?
    ... i.e. not to send a TTL exceeded ICMP packet back to the host. ... This block may be not generating ICMP type 11 (most ... exceeded" reply associated with a UDP packet, ...
    (comp.os.linux.networking)
  • FW: ICMP fragmentation required but DF set problems.
    ... ICMP fragmentation required but DF set problems. ... against some TCP/IP stack. ... Anyway the stack takes an hash table with the MTU of other ends. ... size of the quoted packet in the ICMP packet, ...
    (FreeBSD-Security)
  • Re: Interesting fw log: "ICMP type 3 not embeddable"
    ... I've seen ICMP type 3 embedded TCP or UDP datagram but never seen ICMP ... REJECT incoming ICMP 3 packet) or is using ICMP mis-implementation OS ... is running BSD code based some router. ...
    (comp.os.linux.security)
  • Re: Interesting fw log: "ICMP type 3 not embeddable"
    ... I've seen ICMP type 3 embedded TCP or UDP datagram but never seen ICMP ... REJECT incoming ICMP 3 packet) or is using ICMP mis-implementation OS ... is running BSD code based some router. ...
    (comp.os.linux.security)