ICMP 3 & 11 incoming but no outgoing traffic

[Guest]

Archived from groups: comp.security.firewalls (More info?)

I'm seeing ICMP 3 and 11 messages from locations to which there was no
traffic from the server. Most are from China (219.158.x.x, 221.13.x.x) but
also from Italy and Austria. Any idea why this would be happening?

Thanks, nf

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

nutso fasst <no.replies@no.where> wrote:
> I'm seeing ICMP 3 and 11 messages from locations to which there was no
> traffic from the server. Most are from China (219.158.x.x, 221.13.x.x) but
> also from Italy and Austria. Any idea why this would be happening?

Perhaps someone is scanning those networks with the spoofed source
address of your box. This can be done i.e. with a technic named
idlescan, see http://www.insecure.org/nmap/idlescan.html

Perhaps, some other sort of spoofing attack is done with your IP as
the spoofed source address.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"Volker Birk" <bumens@dingens.org> wrote in message
news:4327b67e@news.uni-ulm.de...
> Perhaps someone is scanning those networks with the spoofed source
> address of your box. This can be done i.e. with a technic named
> idlescan, see http://www.insecure.org/nmap/idlescan.html

Thanks much for that URL. It doesn't seem likely to me that idlescan would
produce an ICMP 11, but reading about defenses prompted me to look through a
couple of log files where I found some interesting entries. I had a bunch of
hits on 139 and 445 from a 192.168.x.x IP, and a lone hit on 80 from a
10.x.x.x IP. The hit on 80 didn't create an entry in my webserver log. And
here I'd thought there were filters to keep private network requests from
traversing the internet.

nf

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <9y_Ve.1676$5n4.1032@newssvr29.news.prodigy.net>,
nutso fasst <no.replies@no.where> wrote:
:I had a bunch of
:hits on 139 and 445 from a 192.168.x.x IP, and a lone hit on 80 from a
:10.x.x.x IP. The hit on 80 didn't create an entry in my webserver log. And
:here I'd thought there were filters to keep private network requests from
:traversing the internet.

The RFC1918 standards say that networks shall not allow such traffic
out of their local area... but in practice quite a number of sites do,
some saying that it would "slow down traffic" to put access controls
on outgoing traffic.
--
This signature intentionally left... Oh, darn!

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:dg9t63$e56$1@canopus.cc.umanitoba.ca...
> The RFC1918 standards say that networks shall not allow such traffic
> out of their local area... but in practice quite a number of sites do,
> some saying that it would "slow down traffic" to put access controls
> on outgoing traffic.

I suspect the plethora of forged-return-address mail from zombies slows
traffic more, and it seems that ISPs who fail to filter traffic from
obviously-phony IPs could be accessories to crime.

nf

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<ci2We.2634$Ob2.243@newssvr12.news.prodigy.com>, nutso fasst wrote:

>Thanks. Apparently someone's spoofing, because the ICMP 11s are isolated
>events. I've been getting an 11 or 3 every few hours, most recently a 3 from
>Arab Emirates. Most are to IPs with no outbound traffic.

Sounds like it's down in the noise level - I'd just ignore it.

>My firewall doesn't give the code so I'm not sure how to get it. Netbios
>and tools aren't bound to the NIC.

You don't mention what firewall, and/or what O/S. With any *nix, I'd
use 'tcpdump -n -s 100 -v icmp' as a starting point.

>Seems it doesn't really matter anyway.

A couple packets per hour is just noise - especially when there really
isn't that much you can do about it.

Old guy