From owner-freebsd-net Sun Sep 10 11:38:45 2000 Delivered-To: freebsd-net@freebsd.org Received: from falcon.prod.itd.earthlink.net (falcon.prod.itd.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id 3796037B423 for ; Sun, 10 Sep 2000 11:38:43 -0700 (PDT) Received: from nukemhigh (hybrid-024-221-117-152.phoenix.speedchoice.com [24.221.117.152]) by falcon.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with SMTP id LAA01178 for ; Sun, 10 Sep 2000 11:38:40 -0700 (PDT) Message-Id: <200009101838.LAA01178@falcon.prod.itd.earthlink.net> X-Sender: egravel@mail.earthlink.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Sun, 10 Sep 2000 11:38:50 -0700 To: freebsd-net@FreeBSD.ORG From: Emmanuel Gravel Subject: Re: Strange TTL Exceeded messages In-Reply-To: References: <200009101707.KAA06851@falcon.prod.itd.earthlink.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:21 PM 9/10/00 -0500, Dan Debertin wrote: >On Sun, 10 Sep 2000, Emmanuel Gravel wrote: > >> Knowing I shouldn't have much (any) traffic on my system I ran ethereal >> overnight to see what my firewall could and couldn't catch. Apart from the >> usual querries on ports 139 and 137, I saw something strange. I recieved >> about 20 TTL Exceeded messages from a host I never sent any info to >> (according to the ethereal log) just past 3 this morning. > >Somebody (possibly you) was using traceroute. It uses ICMP >TTL-exceded-in-transit and destination-unreachable messages to do its work >(I won't explain how traceroute works here, but read any good TCP/IP book >for more info). At 3 AM I was fast asleep :) According to the ethereal logs, there were no transmissions at all originating from me. And since it's in the non-routable addresses, it must mean someone was sending this to me with forged origin info. Something strange though. I have these rules in the firewall: ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from any to 10.0.0.0/8 out via ${oif} and ipfw -a list gives 00600 0 0 deny ip from 10.0.0.0/8 to any via ep0 00700 18 1160 deny ip from any to 10.0.0.0/8 out xmit ep0 Keep in mind I did try pining the host, and tried a traceroute on it... Just a quick question about this, I know the first number is the ifpw rule sequence #. I believe the second is number of packets. So the third, would it be number of bytes? I did a timestamp on it, and it shows that rule 00700 was first logged at 10 this morning. Also keep in mind that I restarted my rules a few times... I know I shouldn't have, and checked them in more detail (to see if the firewall actually dropped the packets). I'm not logging them, so I'll start to now... Shouldn't get too much data though :) I know that icmp ttl exceeded messages are common with a traceroute, however why would I get so many from the same host (in a normal situation, considering I would have actually done a traceroute, which isn't the case)? Also, anyone know of anything running on port 27374? This, and any setup connection from the outside (usually on port 139 :) just got blocked a few minutes ago... Just trying to understand what kind of weird traffic is coming in on my system :) Mind you, if it's not something known, it may just be BO or Netbus trying in on a different port too... Wasn't dumping packets when I got it... Thanks! Emmanuel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message