Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 10 Sep 2000 10:07:13 -0700
From:      Emmanuel Gravel <egravel@earthlink.net>
To:        freebsd-net@freebsd.org
Subject:   Strange TTL Exceeded messages
Message-ID:  <200009101707.KAA06851@falcon.prod.itd.earthlink.net>

next in thread | raw e-mail | index | archive | help
Knowing I shouldn't have much (any) traffic on my system I ran ethereal
overnight to see what my firewall could and couldn't catch. Apart from the
usual querries on ports 139 and 137, I saw something strange. I recieved
about 20 TTL Exceeded messages from a host I never sent any info to
(according to the ethereal log) just past 3 this morning.

I tried nslookup on the host and it doesn't seem to exist. I tried pining the
host and it doesn't seem to be up. The IP of that host is 10.254.3.2.

When I did a traceroute, the first message that came up was 

<myhostname> natd[132]: failed to write packet back (Permission denied)

yet my firewall logs didn't show anything. I also tried dumbing down the
firewall to divert NATD then allow all, with the same results.

Does anyone know of any kind of attack that would use TTL Exceeded
messages? What effect would any amount of those messages on any
system (i.e. are there any known attacks and what are its effects)?

Thanks!

Emmanuel


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009101707.KAA06851>