From owner-freebsd-net Sun Sep 10 10: 7: 6 2000 Delivered-To: freebsd-net@freebsd.org Received: from falcon.prod.itd.earthlink.net (falcon.prod.itd.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id 9013A37B423 for ; Sun, 10 Sep 2000 10:07:04 -0700 (PDT) Received: from nukemhigh (hybrid-024-221-117-152.phoenix.speedchoice.com [24.221.117.152]) by falcon.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with SMTP id KAA06851 for ; Sun, 10 Sep 2000 10:07:01 -0700 (PDT) Message-Id: <200009101707.KAA06851@falcon.prod.itd.earthlink.net> X-Sender: egravel@mail.earthlink.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Sun, 10 Sep 2000 10:07:13 -0700 To: freebsd-net@freebsd.org From: Emmanuel Gravel Subject: Strange TTL Exceeded messages Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Knowing I shouldn't have much (any) traffic on my system I ran ethereal overnight to see what my firewall could and couldn't catch. Apart from the usual querries on ports 139 and 137, I saw something strange. I recieved about 20 TTL Exceeded messages from a host I never sent any info to (according to the ethereal log) just past 3 this morning. I tried nslookup on the host and it doesn't seem to exist. I tried pining the host and it doesn't seem to be up. The IP of that host is 10.254.3.2. When I did a traceroute, the first message that came up was natd[132]: failed to write packet back (Permission denied) yet my firewall logs didn't show anything. I also tried dumbing down the firewall to divert NATD then allow all, with the same results. Does anyone know of any kind of attack that would use TTL Exceeded messages? What effect would any amount of those messages on any system (i.e. are there any known attacks and what are its effects)? Thanks! Emmanuel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message