Snort mailing list archives

Suspicious ICMP traces

From: Demetri Mouratis <dmourati () cm math uiuc edu>
Date: Tue, 23 Oct 2001 01:22:51 -0500 (CDT)

Hello.  I'm interested in finding out what this packet trace might
represent.  I've done some reading on the subject and this looks like some
kind of ICMP tunnel to me.  Specifically, I'm worrried that this might be
a Loki type tunnel.

I'm not really sure so I thought I'd pass this along for second opinions.  
One thing that raised my suspicions was that the ICMP packet seems to
contain a UDP datagram within it.  (Or am I jumping the gun on that?)

So, here is the relevant portion of alert:

[**] [1:485:1] ICMP Destination Unreachable (Communication
Administratively Prohibited) [**]
10/21-20:21:24.622037 12.125.63.42 -> 192.168.75.7
ICMP TTL:246 TOS:0x0 ID:64752 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
192.168.75.7:137 -> 216.73.128.3:137
UDP TTL:112 TOS:0x0 ID:50100 IpLen:20 DgmLen:96
Len: 76
** END OF DUMP

I've got maybe 10,000 of these over a few day period.  I'm also seeing
portscans from 192.168.75.7 so I'm pretty sure something is not right
here.

Thanks in advance for any help you can provide.  


---------------------------------------------------------------------
Demetri Mouratis
dmourati () linfactory com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Suspicious ICMP traces Demetri Mouratis (Oct 22)
- Re: Suspicious ICMP traces Ryan Russell (Oct 23)
- RE: Suspicious ICMP traces Ofir Arkin (Oct 23)
  - RE: Suspicious ICMP traces Demetri Mouratis (Oct 23)
- <Possible follow-ups>
- RE: Suspicious ICMP traces Cessna, Michael (Oct 23)