Results 1 to 8 of 8

Thread: Icmp Outgoing Traffic

  1. #1

    Icmp Outgoing Traffic

    hi all
    OS : WINxppro
    the firewall ( sygate ) logged this traffic
    protocol : icmp
    from : my ip port :3
    to : aaa.bbb.ccc.2 port :3
    to : aaa.bbb.ccc.3 port :3
    the proxy server of the ISP is aaa.bbb.ccc.1. and the firewall didnt show the program for that traffic.
    is that normal traffic ?
    how can i determine its icmp not ping ?
    how do I know which prog. cause that icmp ?
    thanx.

  2. #2
    well,

    it's just my guess...

    but i believe that someone is trying to get a OS fingerprint. As far as what program they used, i'm not sure how to tell.

  3. #3

    hi all

    if so , is the firewall nuff for OS fingerprint?

    thnx.

  4. #4
    Member
    Join Date
    Dec 2002
    Posts
    63
    This is not the traditional ping/pong packet (ICMP types 8 and 0). This is ICMP type 3 destination unreachable. Were you probed with a UDP packet just prior? ICMP type 3 packets have several code types so if you have a packet capture that may provide more detail.
    $pak = me;

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    yes, pak is dead right, it's normal when receiving UDP packets to closed ports.

    This does NOT indicate a scan, it can easily happen in normal traffic. Particularly if you're running any horribly promiscuous programs that use a lot of sockets, like P2P (worst), Web browsers (better, but still bad) etc.

    Note to sygate firewall developers and anyone else listening: ICMP DOES NOT HAVE PORT NUMBERS.

    ICMP just doesn't have port numbers, so anything which claims it does is just plain wrong

    Slarty

  6. #6
    @ÞΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    Location
    St. Petersburg, FL
    Posts
    1,705
    Note to sygate firewall developers and anyone else listening: ICMP DOES NOT HAVE PORT NUMBERS.

    LOL.


    As far as ICMP traffic goes, many legitimate programs will send ICMP packets, so make sure you check the source of the packet.
    Real security doesn't come with an installer.

  7. #7

    thnx 4 ur time

    hi
    so u all say all that traffic is normal.not DDOS .which is icmp protocol
    type 3- the message protocol- (not ping) and got no port .
    ---
    at present the firewall logged this traffic :
    protocol : ICMP
    Direction : incoming
    from:
    212.102.6.253
    212.102.0.253
    213.181.161.117
    212.102.6.65
    port : 8
    to : myip
    port :0
    is that DDOS?
    ---------------
    i dont use P2P .

    D0pp139an93r
    check the source of the packet
    how? trace them!!!!!?

    thnx 4 ur time ppl.

  8. #8
    Member
    Join Date
    Dec 2002
    Posts
    63
    I am a mod for Sygate so believe me when I tell you that this is no DoS attack.

    The firewall will alert you to a DoS attack and would drop the packets. Your last log shown is a traditonal ping (types 8 and 0). The reason for it being associated with ports is because its a column on the GUI. If you look at your packet log it is correctly identified by its type. ICMP is normal traffic to be seen online so no worries there. Just know that the firewall will alert you when it sees an 'attack signature'.
    $pak = me;

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •