RE: Interesting packets

["Boyan Krosnov" <bkrosnov () lirex bg>]

Just a few notes.

The log that you have provided is for an icmp->dest
unreachable->prohibited message, which is usually an effect of acl
blocking of the packets that you send. It may or may not be the case
that you really sent those packets to 68.60.32.5
(ns01.pntiac01.mi.comcast.net). Although I'd bet that you really did,
and this icmp is because of the filter or other blocking mechanism
installed on the machine that has the ip address 68.60.32.249 on one of
it's interfaces(this is most probably a router of a firewall). The point
of this paragraph is to remind you that IP is connectionless and
stateless, and anybody on the internet may have sent this packet.

Also note that there is no such thing as an UDP "connection". There are
only UDP _packets_ (or datagrams) floating forth and back. UDP is
connectionless and stateless as IP is (each protocol working over it has
to provide statefull mechanisms, like keeping the port on one or both
sides the same throughout the communication).
So even if the ICMP is genuine you can't know if the packet from x.y.z.4
to 68.60.32.5 (sport:17468 dport:8197) is the first in this
communication or if there were packets in the opposite direction before
it. And you can't know which of the two machines is initiating the
communication. Also you can't know if the packet in question was sent by
somebody else on the Internet with a spoofed source, or by your machine.

BR,
Boyan Krosnov, CCIE#8701
http://boyan.ludost.net/
Just another techie speaking for himself

> -----Original Message-----
> From: Jeremy Junginger [mailto:jjunginger () usbestcrm com] 
> Sent: Monday, September 16, 2002 6:31 PM
> To: incidents () securityfocus com
> Subject: Interesting packets
>
>
> I've been tracing these packets for a while now, and am 
> having a bit of
> trouble deciphering what's happening.  It appears that this host is
> attempting to contact an external host over udp port 8197 where the
> firewall blocks it.  Interesting points are:
>
> It looks like host x.x.x.4 is initiating a udp session with 68.60.32.5
> over port 8197.  
> We block this port with egress filtering at the firewall, as 
> it is not a
> dataflow we utilize in our production systems.  
> Anybody deciphered similar alerts?
>
>
> Generated by ACID v0.9.6b21 on Mon September 16, 2002 08:02:58
>
> --------------------------------------------------------------
> ----------
> ------
> #(1 - 8399) [2002-09-16 06:50:18]  ICMP Destination Unreachable
> (Communication Administratively Prohibited)
> IPv4: 68.60.32.249 -> x.x.x.4
>       hlen=5 TOS=0 dlen=56 ID=2147 flags=0 offset=0 TTL=241 
> chksum=31000
> ICMP: type=Destination Unreachable code=Packet Filtered
>       checksum=42554 id= seq=
> Payload:  length = 32
>
> 000 : 00 00 00 00 45 00 00 3D 78 26 00 00 70 11 8B 34   
> ....E..=x&..p..4
> 010 : AC 10 37 04 44 3C 20 05 0F 72 00 35 00 29 46 E8   
> ..7.D< ..r.5.)F.
>
> Original IP information:  UDP x.x.x.4 x.xyz.com 17468 68.60.32.5
> ns01.pntiac01.mi.comcast.net 8197 
>
> -Jeremy
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com