[Snort-users] Re: rules and paranoia?!?
andreas_maus at ...375...
Thu Aug 24 13:07:53 EDT 2000
Dragos Ruiu wrote:
> Hi there Marty, forwarded your mail.
> I've taken the liberty of removing your address from the list reply
> in case you want to be anonymous about the potential attack.
> You wrote:
> > Heya,
> > I have been running snort for some days on my 2.7 obsd box.
> > Now today i got about 30 new IP dirs in my log area which means attacks.
> > But the files under them look like ICMP_PORT_UNRCH, ICMP_TTL_EXCEED,
> > ICMP_HST_UNRCH, ICMP_TTL_EXCEED,
> > I dont know what those means i cant see if it some ports or which attacks
> > they do.
> > Also at precisly 14:10 today i got about 26 ips all saying ICMP_TTL_EXCEED
> > at the precis TIME!?
> > Could there be something wrong?
> > Do you have a list of what all that means?
> ICMP TTL exceeded means that the TTL of the packet (which is decremented)
> at every hop has reached zero and that node tossed your packet.
> The unreachable messages are sent back by hosts when you
> try to access addresses or ports that are not accessible.
> This could indeed be a test of an attack to do smething like DDoS you
> with ICMP messages.... multiple synchronized packets from multiple IPs
> would point to a bunch of DDoS clients acting synchronously.
> But paranoia is always a problem with IDS... it could also be an app
> locally on your side that sprayed a whole bunch of IPs with some bogus
> traffic and got back ICMP message from all of them when their stacks
> timed out at the same time (this would imply that all those IPs run the
> same OS).
> My recommendation: take two aspirin, be a little more careful in case
> someone is testing your perimeter, and check your logs again tomorrow
> morning. If you have really sensitive stuff to protect, maybe log all packets
> for a couple of days and spend a little time looking for strange stuff.
> A few errant ICMP messages is not something to start calling the admins of
> those sites over yet. Though some err... more tightly wound sysadmins
> seem to jump and send you nastygrams for even little stuff like this, I would
> perceive this as overreaction....
> But I usually take a portscan and stuff like this as permission to portscan
> back. :-)
> dursec.com ltd. / kyx.net - we're from the future
> pgp fingerprint: 18C7 E37C 2F94 E251 F18E B7DC 2B71 A73E D2E8 A56D
> pgp key: http://www.dursec.com/drkey.asc
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
The ICMP_TTL_EXCEEDED and the ICMP_PORT_UNRCH messages may be caused by
traceroute program running from your internal network.
Traceroute sends UDP packets to the destination host starting with a TTL
The next router decrements the TTL and sends back an ICMP_TTL_EXCEEDED
to the sender.
Trace route sends the next packet with a TTL of 2, which has been
decreases by the first router
(to 1) and the second router to 0 and the second router sends back again
And so on...If the UDP reaches the destination the destination host
sends back an ICMP_PORT_UNRCH
error, because traceroute sets the destination port of the UDP datagram
a very high value (usually
larger than 30000). Usually there is no user process on this port on the
destination host, so an
ICMP_PORT_UNRCH error is generated and send to the sender. Tracroute use
this ICMP_PORT_UNRCH to
determine, that the packet has reached its final destination. So you may
check (if you can) the
destination port of the UDP datagram encapsulated in the ICMP error
A more detailed information about the traceroute program can be found at
http://www.crosswinds.net/~hyena2k/ or (sometimes crosswinds.net seems
to be down) the mirror at
Hope that helps...Andreas.
| email: andreas_maus at ...375... |
| http://www.bigfoot.com/~andreas_maus/ |
More information about the Snort-users