[Snort-users] Too many ICMP Destination Unreachable (Port Unreachable)

jjaime at ...2272... jjaime at ...2272...
Fri Jun 22 15:58:18 EDT 2001


Hello list,

My relay mail, have problems of  deferred mensages for "Host not found".

The configuration of my network

      internet
         |
         '==snort
         |
      Firewall---DNS/WEBSERVER---RELAY/MAIL
         |
         |
    ----LAN-----

Today Snort detect +/- 1600 ICMP Destination Unreachable (Port Unreachable)
from my DNS, distributed this way:

+98% from one IP Block :

xxx.xxx.169.252 1070 signatures
xxx.xxx.169.225  450 signatures
xxx.xxx.169.235   11 signatures
xxx.xxx.169.230    1 signatures
xxx.xxx.169.243    1 signatures
xxx.xxx.169.236    1 signatures
xxx.xxx.169.244    1 signatures

[**] ICMP Destination Unreachable (Port Unreachable) [**]
 06/21-14:59:36.689436 xxx.xxx.169.252 -> xxx.xxx.211.30
 ICMP TTL:246 TOS:0x20 ID:38330 IpLen:20 DgmLen:100
 Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
 ** ORIGINAL DATAGRAM DUMP:
 xxx.xxx.211.30:53 -> xxx.xxx.169.252:61536
 UDP TTL:120 TOS:0x0 ID:21774 IpLen:20 DgmLen:72
 Len: 52
 
That it means, my dns this badly formed? Is on attack? 

Thanks a lot.









More information about the Snort-users mailing list