Re: New type of ICMP packets

From: Kerodo (loopback_at_localhost.com)
Date: 10/26/05

• Next message: Duane Arnold: "Re: Configuring firewall to allow remote administrator"
• Previous message: Duane Arnold: "Re: How do I connect two machines that are both behind seperate firewalls"
• In reply to: JC: "New type of ICMP packets"
• Next in thread: JC: "Re: New type of ICMP packets"
• Reply: JC: "Re: New type of ICMP packets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 26 Oct 2005 00:43:24 -0700

On Tue, 25 Oct 2005 18:06:42 -0700, JC <jhoppyc@westnet.com.invalid> wrote:

> Hi,
>
> I am seeing a new type, to me, of ICMP packets arriving here. At first it was
> one site sending but now a few sites are sending these packets.
>
> The packets, as reported by my firewall, have the form:-
>
> Source:63.188.36.251, 1026, WAN -
> Destination: a.b.c.d, 6284, WAN -
> Type: 1026 -
>
> This sample comes from Sprint IP range but I am seeing them from other ranges as
> well.
>
> From the earlier discussion on Destination unreachable packets these are Type
> 1026 Code 6284. The type numbers seen are 1026 and 1027 but there is a wide
> variation in the code numbers and the forewall may be reporting the port number
> attacked.
>
> I couldn't see anything in either RFC 792 or 950 to explain them.
>
> The firewall is dropping them so I am safe from whatever is being tried on.
> However, I am interested in what they are and what is being attempted.
>
> Can anyone let me know what they are?

Are you sure you don't mean UDP packets to ports 1026 and 1027. This is very common, and is most likely just Windows Messenger spam.

-- 
Kerodo

---

• Next message: Duane Arnold: "Re: Configuring firewall to allow remote administrator"
• Previous message: Duane Arnold: "Re: How do I connect two machines that are both behind seperate firewalls"
• In reply to: JC: "New type of ICMP packets"
• Next in thread: JC: "Re: New type of ICMP packets"
• Reply: JC: "Re: New type of ICMP packets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages New type of ICMP packets ... I am seeing a new type, to me, of ICMP packets arriving here. ... one site sending but now a few sites are sending these packets. ... Source:63.188.36.251, 1026, WAN - ... The firewall is dropping them so I am safe from whatever is being tried on. ... (comp.security.firewalls) Re: [opensuse] SuseFirewall IPv4 vs IPv6 ... # network security threats. ... # Opening ports for LAN services in the external zone defeats the ... # this setting only works for packets destined for the local machine. ... # If the protocol is icmp then port is interpreted as icmp type ... (SuSE) Re: What is going on with my Dialup? ... also forward it to an unused port, and have that port provide the ... verses the RST or ICMP 3,3. ... The lack of response causes the remote computer to make ... Others think that by not responding to unwanted packets, ... (comp.os.linux.networking) Re: OT .. Road Warrior communications question ... The data on the Internet is sent in little packets. ... The packets addressed to port 80 ... Likewise, at the mail server receiving the packets, it knows the return ... Why would e-mail work on the web but not from your e-mail software? ... (alt.guitar.bass) Re: Logs: Many hits with source port of 80 ... The hits from source port 80 to dest port 37852 are IMHO almost ... you should probably see a couple other packets - perhaps ... packets if either you send the load balancer a packet, ... >>I have seen similar hits for the past three months. ... (Incidents)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.firewalls  > 2005-10