[Snort-users] Suspicious ICMP traces

Demetri Mouratis dmourati at ...3877...
Tue Oct 23 20:56:06 EDT 2001


Ofir,

Thanks for the reply.  I actually found your site during my search and
read your paper, very informative.  I have since found out that the
problem was caused by a misconfigured NT box serving as a Cisco Netphone
call center.  Very interesting.  I bet it was the Cisco router on that
network that was filtering out the outgoing UDP traffic.

Thanks again.
 On Tue, 23 Oct
2001, Ofir Arkin wrote:

> Demetri,
> 
> This not seems as a tunneled message. This is simply the echoed
> information from the original offending packet, each and every ICMP
> Error message carries with it (usually the IP header + 8 data bytes of
> the offending packet.
> 
> Now, the type of message you are seeing is ICMP Port Unreachable -
> Communication Administratively Prohibited. 
> 
> According to the trace you provided, IP 12.125.63.42 tried to
> communicate with IP 192.168.75.5 (I bet this is a replaced IP, since
> 192.168.*.* is a reserved class B). From the trace provided we can see
> that 12.125.63.42 tried to access port 137 on the target.
> 
> Some filtering device between the two prohibited the communication. It
> can be a router or any other filtering device (even a firewall
> configured to REJECT rather then DROP). This message notified the
> sending side that this kind of communication is not allowed.
> 
> You can read more on this issue from my research paper "ICMP Usage In
> Scanning" available from http://www.sys-security.com. Page 19: "The
> Error message indicates that the destination system is configured to
> reject datagrams from the sending system. This error is used when
> datagrams based on some sort of criteria are being filtered by a
> filtering device (firewall/router/other filtering devices) restrictions
> or other security
> measures. We can conclude that our Destination Host is up and running,
> but we cannot reach it, since the filtering device is blocking our
> packets, and is instructing us to stop sending datagrams."
> 
> I hope this helps you out.
> 
> Ofir Arkin [ofir at ...949...]
> Founder
> The Sys-Security Group
> http://www.sys-security.com
> PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Demetri
> Mouratis
> Sent: � 23 ������� 2001 8:23
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Suspicious ICMP traces
> 
> Hello.  I'm interested in finding out what this packet trace might
> represent.  I've done some reading on the subject and this looks like
> some
> kind of ICMP tunnel to me.  Specifically, I'm worrried that this might
> be
> a Loki type tunnel.
> 
> I'm not really sure so I thought I'd pass this along for second
> opinions.  
> One thing that raised my suspicions was that the ICMP packet seems to
> contain a UDP datagram within it.  (Or am I jumping the gun on that?)
> 
> So, here is the relevant portion of alert:
> 
> [**] [1:485:1] ICMP Destination Unreachable (Communication
> Administratively Prohibited) [**]
> 10/21-20:21:24.622037 12.125.63.42 -> 192.168.75.7
> ICMP TTL:246 TOS:0x0 ID:64752 IpLen:20 DgmLen:56
> Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
> ** ORIGINAL DATAGRAM DUMP:
> 192.168.75.7:137 -> 216.73.128.3:137
> UDP TTL:112 TOS:0x0 ID:50100 IpLen:20 DgmLen:96
> Len: 76
> ** END OF DUMP
> 
> I've got maybe 10,000 of these over a few day period.  I'm also seeing
> portscans from 192.168.75.7 so I'm pretty sure something is not right
> here.
> 
> Thanks in advance for any help you can provide.  
> 
> 
> ---------------------------------------------------------------------
> Demetri Mouratis
> dmourati at ...3878...
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

---------------------------------------------------------------------
Demetri Mouratis
dmourati at ...3878...





More information about the Snort-users mailing list