Date: Sat, 21 Oct 2000 02:06:34 -0700 (PDT) From: "tjk@tksoft.com" <tjk@tksoft.com> To: mlnn4@oaks.com.au Cc: freebsd-security@FreeBSD.org Subject: Re: Unexpected ICMP messages - is someone spoofing my subnet? Message-ID: <200010210906.CAA08156@uno.tksoft.com> In-Reply-To: <007701c03b26$10c42560$023a1dac@dsat.net.au> from "Chris" at Oct 21, 2000 05:13:40 PM
next in thread | previous in thread | raw e-mail | index | archive | help
Chris, Contact the admins of the hosts where the packets are coming from. Then determine what kind of queries the host unreached's are generated for. That's your best bet for finding out the facts. Troy > > Recently I have noticed a lot of attention being paid (attempted TCP > connections at port 137) to a particular IP address inside my class C > subnet. This was over and above the normal subnet scans I get to the > entire range. > > I have had this subnet for about four years and have never at any time > had anything at that IP address. > > So, I modified my ipfw setup to log any IP data that come in for any > unused address (in the past I tended to ignore ICMP at those addresses > without logging). What I have seen surprises and to an extent perplexes > me, so I'm writing to see if there is a rational explanation for it. > > Basically, I am getting perhaps 50 or 100 ICMP messages per day for a > number (more than 30) of IP addresses that have never at any time been > used by me. I am not referring to echo requests - those I could under- > stand. These messages are typically either 'destination unreachable' or > occasionally 'time exceeded' (almost always the former). > > The senders vary widely but tend to come in groups ; that is, I'll get > a batch of ICMP messages from a single host (or two closely related > hosts) that are sent to a number of different IP addresses within my > net, usually within a short time span. > > I have verified that nothing is going out of my network using those IP > addresses. > > Given that 'host unreachable' messages imply that the remote system in > question has received a packet from one of my IP addresses, which it > rejected and then attempted to tell me about, it would seem that either > someone is spoofing my subnet, or someone is using my subnet internally > even though it's not assigned to them. > > In that case, I'd expect to see OTHER data coming in to it - but to a > great extent I don't (apart from the normal probes that we all seem to > get from script kiddiez). Additionally, I don't see what benefit that > someone would gain from spoofing my subnet unless they had the ability > to grab the data being routed back or they're performing DOS attacks. > In the former case I would not expect to receive any ICMP at all, and > in the latter, I'd expect to see a lot more data than what I have seen. > > Has anyone got any particular suggestions as to either the cause of this, > and/or as to how I may get to the bottom of it ? > > regards, > > -- Chris > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010210906.CAA08156>