ICMP

[Guest]

Archived from groups: microsoft.public.windowsnt.protocol.tcpip (More info?)

My firewall log reports an attack on vulnerability ICMP type 5 code 1 with a
LAN internal server as the source. Does anyone know what this is, what
causes it and how to prevent it?

Eirik

 

[Guest]

Archived from groups: microsoft.public.windowsnt.protocol.tcpip (More info?)

Eirik <bla@bla.bla> wrote:
> My firewall log reports an attack on vulnerability ICMP type 5 code 1
> with a LAN internal server as the source. Does anyone know what this
> is, what causes it and how to prevent it?
>
See http://www.iana.org/assignments/icmp-parameters

Type Name Reference
---- ------------------------- ---------
[...]
5 Redirect [RFC792]

Codes
0 Redirect Datagram for the Network (or subnet)
1 Redirect Datagram for the Host
2 Redirect Datagram for the Type of Service and Network
3 Redirect Datagram for the Type of Service and Host
[...]

On many networks this traffic is to be expected. See e.g.
http://support.microsoft.com/?kbid=195686 So whether this is attack or not
depends on the circumstances...

Have you got two routers on the LAN to which the firewall is attached? Is
the "LAN internal server" you refer to, one of them?
--
Alan J. McFarlane
http://homepage.ntlworld.com/alanjmcf/
Please follow-up in the newsgroup for the benefit of all.

 

[geoff]

Archived from groups: microsoft.public.windowsnt.protocol.tcpip (More info?)

On Wed, 21 Apr 2004 11:59:37 +0200, "Eirik" <bla@bla.bla> wrote:

>My firewall log reports an attack on vulnerability ICMP type 5 code 1 with a
>LAN internal server as the source. Does anyone know what this is, what
>causes it and how to prevent it?
>
>Eirik
>
>

This is a router trying to tell your host that a better route to your
destination can be found by sending the frames to a different router.

 

[Guest]

Archived from groups: microsoft.public.windowsnt.protocol.tcpip (More info?)

A new worm is announced that attacks Microsoft servers over the DCOM/RPC service, which is enabled on a large proportion of servers and workstations. It rapidly spreads across the Internet. Initially, the enterprise network is safe : the Internet-facing systems are all running Apache on Solaris and are therefore immune. But one side-effect of the worm is that it send high volumes of ICMP ( ping ) packets, which causes a very high load on the Internet-facing infrastructure.
Most like the welcha(a,b,c,d,w).worm

Patch for this is found here
For 2000 http://www.microsoft.com/downloads/details.aspx?FamilyID=c8b8a846-f541-4c15-8c9f-220354449117&displaylang=en

For XP http://www.microsoft.com/downloads/details.aspx?FamilyID=2354406c-c5b6-44ac-9532-3de40f69c074&displaylang=en

Good Luck

 

[Guest]

Archived from groups: microsoft.public.windowsnt.protocol.tcpip (More info?)

ICMP type 5 code 1 CODE meanings


type 5 Redirect [RFC792]

code 1 Redirect Datagram for the Host

http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/icmp-code.html

 

[Guest]

Archived from groups: microsoft.public.windowsnt.protocol.tcpip (More info?)

code 1 = Authentication Failed also