Date: Sat, 21 Oct 2000 17:13:40 +1100 From: "Chris" <mlnn4@oaks.com.au> To: <freebsd-security@FreeBSD.ORG> Subject: Unexpected ICMP messages - is someone spoofing my subnet? Message-ID: <007701c03b26$10c42560$023a1dac@dsat.net.au>
next in thread | raw e-mail | index | archive | help
Recently I have noticed a lot of attention being paid (attempted TCP connections at port 137) to a particular IP address inside my class C subnet. This was over and above the normal subnet scans I get to the entire range. I have had this subnet for about four years and have never at any time had anything at that IP address. So, I modified my ipfw setup to log any IP data that come in for any unused address (in the past I tended to ignore ICMP at those addresses without logging). What I have seen surprises and to an extent perplexes me, so I'm writing to see if there is a rational explanation for it. Basically, I am getting perhaps 50 or 100 ICMP messages per day for a number (more than 30) of IP addresses that have never at any time been used by me. I am not referring to echo requests - those I could under- stand. These messages are typically either 'destination unreachable' or occasionally 'time exceeded' (almost always the former). The senders vary widely but tend to come in groups ; that is, I'll get a batch of ICMP messages from a single host (or two closely related hosts) that are sent to a number of different IP addresses within my net, usually within a short time span. I have verified that nothing is going out of my network using those IP addresses. Given that 'host unreachable' messages imply that the remote system in question has received a packet from one of my IP addresses, which it rejected and then attempted to tell me about, it would seem that either someone is spoofing my subnet, or someone is using my subnet internally even though it's not assigned to them. In that case, I'd expect to see OTHER data coming in to it - but to a great extent I don't (apart from the normal probes that we all seem to get from script kiddiez). Additionally, I don't see what benefit that someone would gain from spoofing my subnet unless they had the ability to grab the data being routed back or they're performing DOS attacks. In the former case I would not expect to receive any ICMP at all, and in the latter, I'd expect to see a lot more data than what I have seen. Has anyone got any particular suggestions as to either the cause of this, and/or as to how I may get to the bottom of it ? regards, -- Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007701c03b26$10c42560$023a1dac>