-
January 1st, 2004, 12:28 AM
#1
Member
Icmp Outgoing Traffic
hi all
OS : WINxppro
the firewall ( sygate ) logged this traffic
protocol : icmp
from : my ip port :3
to : aaa.bbb.ccc.2 port :3
to : aaa.bbb.ccc.3 port :3
the proxy server of the ISP is aaa.bbb.ccc.1. and the firewall didnt show the program for that traffic.
is that normal traffic ?
how can i determine its icmp not ping ?
how do I know which prog. cause that icmp ?
thanx.
-
January 1st, 2004, 12:33 AM
#2
Member
well,
it's just my guess...
but i believe that someone is trying to get a OS fingerprint. As far as what program they used, i'm not sure how to tell.
-
January 1st, 2004, 12:44 AM
#3
Member
hi all
if so , is the firewall nuff for OS fingerprint?
thnx.
-
January 1st, 2004, 06:29 AM
#4
Member
This is not the traditional ping/pong packet (ICMP types 8 and 0). This is ICMP type 3 destination unreachable. Were you probed with a UDP packet just prior? ICMP type 3 packets have several code types so if you have a packet capture that may provide more detail.
-
January 1st, 2004, 11:11 PM
#5
yes, pak is dead right, it's normal when receiving UDP packets to closed ports.
This does NOT indicate a scan, it can easily happen in normal traffic. Particularly if you're running any horribly promiscuous programs that use a lot of sockets, like P2P (worst), Web browsers (better, but still bad) etc.
Note to sygate firewall developers and anyone else listening: ICMP DOES NOT HAVE PORT NUMBERS.
ICMP just doesn't have port numbers, so anything which claims it does is just plain wrong
Slarty
-
January 2nd, 2004, 05:53 AM
#6
Note to sygate firewall developers and anyone else listening: ICMP DOES NOT HAVE PORT NUMBERS.
LOL.
As far as ICMP traffic goes, many legitimate programs will send ICMP packets, so make sure you check the source of the packet.
Real security doesn't come with an installer.
-
January 3rd, 2004, 01:05 AM
#7
Member
thnx 4 ur time
hi
so u all say all that traffic is normal.not DDOS .which is icmp protocol
type 3- the message protocol- (not ping) and got no port .
---
at present the firewall logged this traffic :
protocol : ICMP
Direction : incoming
from:
212.102.6.253
212.102.0.253
213.181.161.117
212.102.6.65
port : 8
to : myip
port :0
is that DDOS?
---------------
i dont use P2P .
D0pp139an93r
check the source of the packet
how? trace them!!!!!?
thnx 4 ur time ppl.
-
January 3rd, 2004, 03:15 AM
#8
Member
I am a mod for Sygate so believe me when I tell you that this is no DoS attack.
The firewall will alert you to a DoS attack and would drop the packets. Your last log shown is a traditonal ping (types 8 and 0). The reason for it being associated with ports is because its a column on the GUI. If you look at your packet log it is correctly identified by its type. ICMP is normal traffic to be seen online so no worries there. Just know that the firewall will alert you when it sees an 'attack signature'.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|