[Snort-users] ICMP destination unreachable

Paul Cardon paul at ...26...
Wed Aug 2 00:05:51 EDT 2000


Bill Pennington wrote:
> 
> ICMP port unreachables will be generated when one of your machines
> attempts to connect to another machine on a port which is not open (or
> maybe its firewalled). You will get ICMP port unreachables for TCP
> traffic. If you are running NT you will see a lot of these as NT
> attempts to contact machines on port 137 (for name lookups mostly). I
> have also seen this happen if you have a machine that is misconfigured.
> For example if I put in the wrong DNS server on a host.

First, suppose there is not a firewall.  If a TCP segment is sent to a
non-listening port on a destination host, a TCP reset will be returned
unless the original segment had its reset flag set, in which case the
destination host will simply ignore it.  ICMP port unreachable is not a
normal response to TCP traffic and most if not all stacks ignore it if
sent in response to a TCP segment.

It IS a normal response when a UDP datagram is sent to a non-listening
port.  UDP, since it is stateless, does not have any type of built-in
response like TCP does so ICMP is used to report this particular error
condition.

If there is a firewall, it is common to completely ignore the packets,
regardless of which protocol is used, and not send back any response if
they are not allowed.  Otherwise, it is typical to respond by spoofing
the IP of the destination system and returning a RST for TCP or an ICMP
port unreachable for UDP.

-paul




More information about the Snort-users mailing list