Security Incidents mailing list archives
Re: invalid icmp in linux?
From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Sun, 28 May 2000 17:47:27 -0400
On Sat, 27 May 2000, Eric LeBlanc wrote:
May 26 17:35:17 toutatis kernel: 64.228.200.219 sent an invalid ICMP error to a broadcast. May 26 17:35:17 toutatis last message repeated 9 times
Linux toutatis 2.2.13 #1 SMP Mon Nov 29 22:53:42 EST 1999 i686 unknown
My server is down after attack.. :-/ what it is ? How I patch?
what attack? i'm really confused as to why you think this is an attack. it appears that the host at 64.228.200.219 is in possession of a poor IP stack, at least as far as ICMP is concerned. ICMP errors should *never* be sent regarding braodcast frames. imagine the traffic flood you would see! Postel 1981 (rfc 792, ftp://ftp.isi.edu/in-notes/rfc792.txt) is the ICMP spec, see also RFC 950 (ftp://ftp.isi.edu/in-notes/rfc950.txt). stevens (tcp/ip illustrated vol 1, 1994) notes on pages 70 and 71 (chapter 6, ICMP) that ICMP error messages should never be generated in response to a broadcast (can't find the RFC policy on this, but stevens is usually the next best thing). as such, it's probably your kernel correctly reporting that you have a misconfigured system on the network. it's not an attack, in almost all certainty. jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- Re: ICMP attack in progress?, (continued)
- Re: ICMP attack in progress? Crist J. Clark (May 25)
- Re: ICMP attack in progress? Jason Storm (May 26)
- afs3 exploit?? elijah wright (May 25)
- Strange Happenings @Home Fred Hirsch (May 30)
- AMDROCKS Jim Williams (May 25)
- Attacks on port 25 Vincent Lim (May 25)
- Re: Attacks on port 25 Ryan Russell (May 26)
- Re: Attacks on port 25 Bill Lavalette (May 28)
- Re: Attacks on port 25 RayW (May 29)
- invalid icmp in linux? Eric LeBlanc (May 27)
- Re: invalid icmp in linux? Jose Nazario (May 28)
- weird scan pattern Joe H (May 28)
- Re: weird scan pattern Russell Fulton (May 29)
- IDS: Scan of the week Lance Spitzner (May 30)
- 5 scans of 12345 in a couple of hours. AUSCERT#36349 Russell Fulton (May 31)
- Taiwan server compromise Claudiu Costin (May 26)
- Re: Taiwan server compromise Vortex (May 26)
- port 44767 activity Nathan Fain (May 28)
- Re: AMDROCKS Alejandro (May 26)
- Re: AMDROCKS J. S. Townsley (May 26)
- Re: AMDROCKS Lance Spitzner (May 26)