[Snort-sigs] SID 485

Warchild warchild at ...288...
Wed Apr 24 19:19:03 EDT 2002

alert icmp any any -> any any (msg:"ICMP Destination Unreachable
(Communication Administratively Prohibited)"; itype: 3; icode: 13;
sid:485; classtype:misc-activity; rev:2;) 


A router was unable to forward a packet due to filtering and used the
Internet Control Message Protocol to alert involved hosts.

This particular message is meant only to be informative but can be
indicative of malicious activity (spoofed traffic, DOS).

Detailed Information:
A packet sent between two points on a network was administratively
prohibited via filtering of some sort.  The router that did the
filtering returned an ICMP message informing the apparent source host
of the filtering.

Attack Scenarios:
In a DOS attack it is common to to use spoofed source addresses.  If
and when the traffic gets filtered and an ICMP message is returned,
the spoofed source address will be the recipient of the ICMP message.
A similar situation may occur when a large portscan is occuring and an
attempt is made to mask the true source of the scan by tossing in
spoofed source addresses.  

Ease of Attack:
Easy.  Tools are readily available that can craft arbitrary ICMP
packets.  It is also possible to spoof packets using arbitrary
addresses potentially causing intermediary routers to generate ICMP

False Positives:

False Negatives:

Corrective Action:
None needed unless messages become excessive or appear to be invalid. 
Determine what traffic caused this particular ICMP message to be
generated and act accordingly.

Warchild <warchild at ...288...>

Additional References:

More information about the Snort-sigs mailing list