From owner-freebsd-security  Mon Sep 14 01:08:07 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id BAA27435
          for freebsd-security-outgoing; Mon, 14 Sep 1998 01:08:07 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA27372
          for <security@freebsd.org>; Mon, 14 Sep 1998 01:08:03 -0700 (PDT)
          (envelope-from netadmin@fastnet.co.uk)
Received: from na.nu.na.nu (bofh.fast.net.uk [194.207.104.22])
	by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id JAA20982
	for <security@freebsd.org>; Mon, 14 Sep 1998 09:07:41 +0100 (BST)
Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22])
	by na.nu.na.nu (8.8.8/8.8.8) with SMTP id JAA14358
	for <security@freebsd.org>; Mon, 14 Sep 1998 09:07:40 +0100 (BST)
	(envelope-from netadmin@fastnet.co.uk)
Date: Mon, 14 Sep 1998 09:07:40 +0100 (BST)
From: Jay Tribick <netadmin@fastnet.co.uk>
X-Sender: netadmin@bofh.fast.net.uk
To: security@FreeBSD.ORG
Subject: Re: odd icmp packet
In-Reply-To: <Pine.BSF.3.96.980914154959.300B-100000@aniwa.sky>
Message-ID: <Pine.BSF.3.96.980914090537.14349B-100000@bofh.fast.net.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


| I monitor odd packets on broadcast channels, and this turned up in my
| logs:
| 
| Sep 14 14:57:55 dawn /kernel: ipfw: 60100 Accept ICMP:11.0 xxx.xx.xx.xx
| 255.255.255.255 in via de0
| 
| xxx.xx.xx.xx is not on my subnet, but the machine which recorded this is
| not behind a firewall except in so far as it runs its own filters
| 
| ICMP:11.0 indicates time exceeded in transit.  Can someone explain what
| might have caused this.
| 
| Am I correct in thinking that because ICMP packets do not generate
| responses this does not have DoS relevance?

Not really, an ICMP ping flood is quite a substantial way of DoS'ing
someone and tends to eat up all the bandwidth on a modem connection -
depending upon the source of the ICMPs you could quite easily saturate
a [T|E]1 or higher. It's often used on the IRC networks when someone's
trying to flood someone else off.

Your right in thinking that a Time Exceeded in Transit can't cause
a DoS though (although someone's bound to prove me wrong ;)

Regards,

Jay Tribick <netadmin@fastnet.co.uk>
--
[| Network Admin | FastNet International | http://fast.net.uk/ |]
[| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |]
[|   +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk   |]



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message