[Snort-users] ICMP destination unreachable

Bill Pennington billp at ...60...
Mon Jul 31 12:41:06 EDT 2000


ICMP port unreachables will be generated when one of your machines
attempts to connect to another machine on a port which is not open (or
maybe its firewalled). You will get ICMP port unreachables for TCP
traffic. If you are running NT you will see a lot of these as NT
attempts to contact machines on port 137 (for name lookups mostly). I
have also seen this happen if you have a machine that is misconfigured.
For example if I put in the wrong DNS server on a host.

Generally speaking they are harmless. I believe you could mount a DOS
attack using spoofed ICMP unreachables but the attacker would need to
know some info about your network to make it effective.

Jan Muenther wrote:
> 
> Hello there,
> I highly appreciate the fact that snort deals with protocols
> other than tcp and udp now, but I do get _LOADS_ of these. I
> can't quite make out why, since when I run 'netstat -an' I only
> get tcp connections and I can't think of any application sending
> out ICMP requests / pings running on that host. What it DOES run
> is the TIS firewall toolkit - could that cause such a thing...???
> I am slightly clueless at the moment.
> 
> A few logs here:
> 
> [**] ICMP Destination Unreachable [**]
> 07/31-15:17:02.759905 216.7.144.11 -> xx.xxx.x.xxx
> ICMP TTL:47 TOS:0x0 ID:4665
> DESTINATION UNREACHABLE: HOST UNREACHABLE
> 
> [**] ICMP Destination Unreachable [**]
> 07/31-15:21:18.826804 216.7.144.11 -> xx.xxx.x.xxx
> ICMP TTL:47 TOS:0x0 ID:9896
> DESTINATION UNREACHABLE: HOST UNREACHABLE
> 
> So, my host is xx.xxx.x.xxx... am I being pinged from outside and
> snort notices my host doesn't answer...?
> 
> and inbetween we have this one....
> 
> [**] IDS246 - MISC - Large ICMP Packet [**]
> 07/31-15:29:20.549984 194.76.232.129 -> xx.xxx.x.xxx
> ICMP TTL:241 TOS:0x0 ID:57409  DF
> ID:48282   Seq:61662  ECHO
> 
> [**] ICMP Destination Unreachable [**]
> 07/31-15:41:37.998034 xx.xxx.x.xxx -> 194.221.121.196
> ICMP TTL:64 TOS:0xC0 ID:29625
> DESTINATION UNREACHABLE: PORT UNREACHABLE
> 
> [**] ICMP Destination Unreachable [**]
> 07/31-15:41:40.080362 xx.xxx.x.xxx -> 194.221.121.196
> ICMP TTL:64 TOS:0xC0 ID:29773
> DESTINATION UNREACHABLE: PORT UNREACHABLE
> 
> This is what really bewilders me. Am I getting this right: My
> host is sending out ICMP packets which can't reach their
> destination...???
> 
> Confused,
> Jan
> --
> Radio HUNDERT,6 Medien GmbH Berlin
> - EDV -
> j.muenther at ...206...
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 


Bill Pennington
Senior IT Manager
Rocketcash
billp at ...60...
http://www.rocketcash.com




More information about the Snort-users mailing list