[Snort-users] Re: rules and paranoia?!?

Andreas Maus andreas_maus at ...375...
Thu Aug 24 13:07:53 EDT 2000

Dragos Ruiu wrote:
> Hi there Marty, forwarded your mail.
> I've taken the liberty of removing your address from the list reply
> in case you want to be anonymous about the potential attack.
> You wrote:
> > Heya,
> > I have been running snort for some days on my 2.7 obsd box.
> > Now today i got about 30 new IP dirs in my log area which means attacks.
> > But the files under them look like ICMP_PORT_UNRCH,  ICMP_TTL_EXCEED,
> > I dont know what those means i cant see if it some ports or which attacks
> > they do.
> > Also at precisly 14:10 today i got about 26 ips all saying ICMP_TTL_EXCEED
> > at the precis TIME!?
> > Could there be something wrong?
> > Do you have a list of what all that means?
> ICMP TTL exceeded means that the TTL of the packet (which is decremented)
> at every hop has reached zero and that node tossed your packet.
> The unreachable messages are sent back by hosts when you
> try to access addresses or ports that are not accessible.
> This could indeed be a test of an attack to do smething like DDoS you
> with ICMP messages....  multiple synchronized packets from multiple IPs
> would point to a bunch of DDoS clients acting synchronously.
> But paranoia is always a problem with IDS... it could also be an app
> locally on your side that sprayed a whole bunch of IPs with some bogus
> traffic and got back ICMP message from all of them when their stacks
> timed out at the same time (this would imply that all those IPs run the
> same OS).
> My recommendation: take two aspirin, be a little more careful in case
> someone is testing your perimeter, and check your logs again tomorrow
> morning. If you have really sensitive stuff to protect, maybe log all packets
> for a couple of days and spend a little time looking for strange stuff.
> A few errant ICMP messages is not something to start calling the admins of
> those sites over yet. Though some err... more tightly wound sysadmins
> seem to jump and send you nastygrams for even little stuff like this, I would
> perceive this as overreaction....
> But I usually take a portscan and stuff like this as permission to portscan
> back. :-)
> cheers,
> --dr
>  --
> dursec.com ltd. / kyx.net - we're from the future
> pgp fingerprint: 18C7 E37C 2F94 E251 F18E  B7DC 2B71 A73E D2E8 A56D
> pgp key: http://www.dursec.com/drkey.asc
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

The ICMP_TTL_EXCEEDED and the ICMP_PORT_UNRCH messages may be caused by
traceroute program running from your internal network.
Traceroute sends UDP packets to the destination host starting with a TTL
of 1.
The next router decrements the TTL and sends back an ICMP_TTL_EXCEEDED
to the sender.
Trace route sends the next packet with a TTL of 2, which has been
decreases by the first router
(to 1) and the second router to 0 and the second router sends back again
And so on...If the UDP reaches the destination the destination host
sends back an ICMP_PORT_UNRCH 
error, because traceroute sets the destination port of the UDP datagram
a very high value (usually 
larger than 30000). Usually there is no user process on this port on the
destination host, so an 
ICMP_PORT_UNRCH error is generated and send to the sender. Tracroute use
determine, that the packet has reached its final destination. So you may
check (if you can) the 
destination port of the UDP datagram encapsulated in the ICMP error

A more detailed information about the traceroute program can be found at 
http://www.crosswinds.net/~hyena2k/ or (sometimes crosswinds.net seems
to be down) the mirror at 

Hope that helps...Andreas.

|           email: andreas_maus at ...375...   |
|       http://www.bigfoot.com/~andreas_maus/ |

More information about the Snort-users mailing list