Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 33

Thread: ICMP Destination Unreachable (Communication Administratively Prohibited)

  1. #11
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    I think Nebulus is on the $, these could very well be forged packets. Some strange things are happening here. We have ICMP packets from 2 totally seperate source IPs. Both packets are code 13. Which SHOULD mean a router wont route them so the ICMP source IP must be a router, except they both appear to be from(sez arin) Canadian ISPs(which you said was not in traceroute). Also, not sure if it matters but the TTL time on both ICMP packets from different ip's are almost identical(2 hops difference).The Canadian ISP seems to have a big spam problem, dont know if its related to this but probably worth checking if there's spoofing afoot. More packets would be great if you have them.

    -Maestr0

    Originally posted here by nebulus200
    two, they are nmapping 198.112.234.22 (or something to that effect) and 12.127.88.98 is along THEIR routepath and they are using nmap in decoy mode with your web server as the source. /nebulus
    nebulus,
    Exactly along the lines I was thinking. Notice one of the destination IPs (From the dump of a packet supposedly originating from 172.24.x.x)which generates the ICMP was a mail server. Maybe a spammer is spoofing with 172.24.x.x as the spoofed source IP and confusing a router(who ICMPs) along the real route from the spammer? I know the ports dont add up but its the only thing I can think of without more information. Any thoughts?

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  2. #12
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Thanks nebulus, Maestr0 & Networker. We have pretty much resigned ourselves to the fact we are being spoofed and have shutdown all ICMP traffic in our DMZ. This will kill all the snort alerts but does not stop the spoofing. I have contacted our ISP to inform them what is going on just in case they receive any abuse reports. I wish there was more we could do, but it would appear life on the internet is a bitch.

    Cheers:
    DjM

  3. #13
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    DJM,
    there is a high possibility that sm evil is bouncing on your web server to build a DrDoS attack against Bell. (If they were stupid enough to generate ICMP unreachable, I think their CPU ressources may be overloaded very quickly.)
    If this scenario is correct there is no real danger for ur net, but you have a moral responsability to stop your unwilling cooperation to an evil attack. (U could setup in ur frw a filter IP addy based for few daze)
    [shadow] SHARING KNOWLEDGE[/shadow]

  4. #14
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by Networker
    DJM,
    there is a high possibility that sm evil is bouncing on your web server to build a DrDoS attack against Bell. (If they were stupid enough to generate ICMP unreachable, I think their CPU ressources may be overloaded very quickly.)
    If this scenario is correct there is no real danger for ur net, but you have a moral responsability to stop your unwilling cooperation to an evil attack. (U could setup in ur frw a filter IP addy based for few daze)
    Networker, the example I have attached here is just one example of the alerts I am seeing. In the other alerts the destination IP address changes, so whatever is happening is not just targeting Bell. To set up firewall rules to filter all address would be a huge effort. Now we believe a couple of things might be happening. 1) Our address is being spoofed for performing a ping sweep or port scan with something like NMAP. 2) The address is being spoofed for sending out spam (a lot of the servers seem to be mail servers). We are still investigating, but we are not sure there will be anything we can do about it.

    Cheers:
    DjM

  5. #15
    I've been seeing the same type of alerts on my snort box. I usually get one or two every few days and have yet to figure them out either. The ICMP messages seem to be directed back to boxes on my LAN, as well as my DMZ, and originate from random hosts on the internet. However, I'm not sure that these ICMP messages are the result of spoofed traffic since all my boxes use private class C addresses. Also, I have all ICMP traffic blocked at my firewall (incoming and outgoing), so it is weird that ICMP Destination Unreachable is making it back to my LAN. I'm fairly new to Checkpoint, but I'm imagining that Checkpoint must regard ICMP type 13 traffic as being part of an already established stream to allow this traffic back to my LAN hosts. Otherwise, it should be dropped. Shouldn't it? Almost exclusively, port 80 is involved in the TCP/IP socket generating these alerts, either as the original source port or an original destination port. This makes some sense to me since we allow outgoing traffic to port 80 from the LAN and incoming traffic for 80 to webhosts on our DMZ, but that's TCP not ICMP.

    With all this in mind, I am fairly sure the original packets that trigger these alerts do in fact come from my network, since a spoofed packet with a forged source address like 192.168.0.x would never route back to my LAN. Like you all, I am a bit perplexed though I am not yet ready to call this traffic malicious (even though I am keeping an eye on it). Perhaps something else is going on that is marking these packets as 'droppable' by whatever hosts seem to be performing the filtering and sending back the ICMP messages. But if that is the case, what else could that be?

  6. #16
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    The only thing I can recommend both of you do is to set up a sniffer at your DMZ and record traffic for say a 24 hour period (all of it, so make sure you have pretty big disks) into a pcap file and then pull it up in something like ethereal. See if you can't find a correlation between the purported sources of the ICMP unreachable (not who sent you the message but rather the source noted in the packet) and traffic you send out. If you can't find any correlation between the messages you are getting back and the traffic you are sending out, then you are suffering from some kind of spoof.

    Unless you are seeing very large numbers of these kinds of packets (for example maybe the result of a smurf or some similar type of attack), I wouldn't overly worry about it. Another thing you can do is that if you are seeing these packets from supposidly multiple originations, then you could compare the contents of the packet to see how similar they are (for example, maybe the TTL is all the same), which might indicate that it is all coming from one person, versus drastically different TTL's which might indicate more than one source. If other packets are very similar in their content, you might could even start considering whether or not the same program caused them...

    Kind of wish I could help more, but like I said earlier, we don't allow ICMP of any kind, so not really anything more I can do but make some suggestions...

    /nebulus

    EDIT: You may also want to consider talking to the folks with the dshield project (distributed IDS). They tend to see alot of the bigger picture since they get reports from all over the world and might provide you some interesting insight, hell maybe you can even get a research/white paper topic out of it and a little name recognition...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #17
    Like I said, the only thing that makes my wonder about this traffic is that we also block all ICMP traffic, inbound and outbound. So I looked at these alerts and said "Humm, how the hell did that get back through my firewall." Like I said, i see about one of these alerts every two or three days. I am currently suspicious of them, but not overly worried.

  8. #18
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by tolstoy
    Like I said, the only thing that makes my wonder about this traffic is that we also block all ICMP traffic, inbound and outbound. So I looked at these alerts and said "Humm, how the hell did that get back through my firewall." Like I said, i see about one of these alerts every two or three days. I am currently suspicious of them, but not overly worried.
    OK Guys, I am not sure if I am on to something here or not, but tolstoy, do you happen to have an antivirus system which, when it detects a virus, will attempt to send an e-mail to the who "it" thinks sent the e-mail. Because for the way the current batch of viruses spoof e-mail address, which sometimes are totally invalid, I am think we are getting these ICMP responses because the e-mail can't reach its destination.
    I am going to try and test this theory but I likely can't get to it until tomorrow. Anyways, do you have this type of system set up tolstoy?

    Cheers:
    DjM

  9. #19
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356

    OK Guys, I am not sure if I am on to something here or not, but tolstoy, do you happen to have an antivirus system which, when it detects a virus, will attempt to send an e-mail to the who "it" thinks sent the e-mail.
    EDIT: I sounded like an ass when i wrote it the first time...Please let me know if that was it, because it sounds like a very plausible possibility...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  10. #20
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Forgive me if I havent understood you correctly but I dont see how that would matter since the AV software will connect to it's SMTP server (which should be valid) and then send an e-mail to the forged adress which will return a 'message un-deliverable(550)' from the destination SMTP server (If it even exists otherwise the local SMTP will be unable to establish a connection). Even if the AV has its own SMTP server and tries to identify the source IP in the mail header, it should still try to establish a valid session on port 25.An ICMP code 13 means a router refused to route the packet, not that that the destination host was unavailable. Why would a router not in the packet traceroute be sending a code 13 for what was theoretically a handshake to port 25 somewhere ?(these ports still dont add up )
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •