Re: UDP to port 1027

On Mon, 19 Jun 2006, in the Usenet newsgroup comp.security.firewalls, in
article <44968e0e.9607371@xxxxxxxxxxxxxx>, "GEO" Me@xxxxxxxxx wrote:

Messenger ...'a "feature" that microsoft adopted more than fifteen
years after the UNIX version, and as usual without bothering to look
at the preceeding experience' Interesting, I didn't know it had a
history.

[compton ~]$ whatis talk talkd
talk (1) - talk to another user
talkd (8) - remote user communication server
[compton ~]$ grep talk /etc/services
talk 517/udp # BSD talkd(8)
ntalk 518/udp # SunOS talkd(8)
[compton ~]$

I said ping because on the trace log of Trumpet I see a record such as:

1 IP 203.156.76.77 ->My address len 908 prot 17
0 IP My address ->203.156.76.77 len 56 prot 1

and since I had not connected to this address I assumed that it must
be a computer trying to do something to mine. Is it not a ping?

[compton ~]$ grep -wE '(1|17)' /etc/protocols
icmp 1 ICMP # internet control message protocol
udp 17 UDP # user datagram protocol
[compton ~]$

You probably don't have that file - go to
http://www.iana.org/assignments/protocol-numbers and discover that there
are about 140 different protocols that can be in an IP packet.

So, the log claims that some dial-up host on Jasmine Internet in Bangkok
Thailand sent a packet of 908 octets with a protocol of 17. Your host then
sent a packet to that host of protocol 1, which is ICMP - probably an ICMP
Type 3 Code 3 (Port Unreachable) because nothing is listening on the port
that the original packet was sent to.

Protocol 17 is UDP. Lessee, a len of 908... Probably a Security Bulletin
directing you to go to some spammers website where FOR ONLY US$29.95 plus
shipping and handling, you can get some software that installs spyware
for you.

Or was it the shorter message (with padding) that claims "STOP! WINDOWS
REQUIRES IMMEDIATE ATTENTION" and the next line says "Windows has found
$RANDOM_NUMBER Critical System Errors." (where $RANDOM_NUMBER is some value
between 50 and 125.

"Ping of Death"? I better do some more reading before I move to Win
95 -probably after the next version of Windows comes out :))

I don't know if they ever fixed the problem in 95. Yeah, the l33t d00dZ
found it great fun to send an oversized ping to a windoze box on the net
and watch it curl up and die. That was a major reason that people began
blocking first ping, then all forms of ICMP.

Old guy
.

Relevant Pages

  • Re: Serial port read latency (SERIOUS - NEED HELP FAST!)
    ... In regular Windows XP, expecting a 5ms interval would normally encounter geers and cat-calls from the news group. ... Is the 5ms "window" the only termination, or are you using a protocol that defines end of text or message? ... ReadFile will complete when there is 5 ms interval between received bytes. ... > The protocol requires our embedded device to respond to a packet> within ...
    (microsoft.public.win32.programmer.kernel)
  • Re: port=1026&reason=ICMPsent
    ... > Actually ICMP is a layered protocol the UDP protocol in question is a ... in the payload of an ICMP ... with a payload indicating it was in response to a UDP packet? ...
    (alt.computer.security)
  • Re: Return ICMP port unreachable on nonlistening socket
    ... when somobody send packet to port where no server is listening. ... However Windows Vista Business SP2 behaves differently. ... IPsec is enabled on the machine with a policy to block ICMP. ...
    (microsoft.public.windows.vista.security)
  • Re: No ICMP response
    ... > sends an ICMP packet and the reply is also an ICMP packet. ... > message protocol" useless because it would depend on the protocol it is ... message which indicates its a ping. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Ping, ICMP and TCP Ping
    ... > Im learning protocol tcp/ip and icmp, ... > transmit packets and PING is identic with ICMP. ... ICMP packet usually achieves the desired result, ...
    (Security-Basics)