Here's a copy of the ICMP RFC codes: The Internet Control Message Protocol (ICMP) has many messages that are identified by a "type" field. Here's the numbers from RFC-1700. Type Name Reference ---- ------------------------- --------- 0 Echo Reply [RFC792] 1 Unassigned [JBP] 2 Unassigned [JBP] 3 Destination Unreachable [RFC792] 4 Source Quench [RFC792] 5 Redirect [RFC792] 6 Alternate Host Address [JBP] 7 Unassigned [JBP] 8 Echo [RFC792] 9 Router Advertisement [RFC1256] 10 Router Selection [RFC1256] 11 Time Exceeded [RFC792] 12 Parameter Problem [RFC792] 13 Timestamp [RFC792] 14 Timestamp Reply [RFC792] 15 Information Request [RFC792] 16 Information Reply [RFC792] 17 Address Mask Request [RFC950] 18 Address Mask Reply [RFC950] 19 Reserved (for Security) [Solo] 20-29 Reserved (for Robustness Experiment) [ZSu] 30 Traceroute [RFC1393] 31 Datagram Conversion Error [RFC1475] 32 Mobile Host Redirect [David Johnson] 33 IPv6 Where-Are-You [Bill Simpson] 34 IPv6 I-Am-Here [Bill Simpson] 35 Mobile Registration Request [Bill Simpson] 36 Mobile Registration Reply [Bill Simpson] 37-255 Reserved [JBP] -----Original Message----- From: Kevin Pietersma [mailto:kevat_private] Sent: Monday, May 14, 2001 11:54 AM To: Bob Johnson; Mikael Fors Cc: INCIDENTSat_private Subject: Re: a lot of spoofed traffic for port 8, does anybody recon this? What you are seeing are ICMP codes (ICMP Echo Request; itype: 8; icode: 0). Some one is PINGing you. kev At 10:52 AM 5/14/01 -0400, Bob Johnson wrote: >Don't know if you ever figured this out. The only place I've ever seen port >8 used is a Telocity DSL modem in a friend's office. The modem queries >port 8 on the client system (i.e. the system it is connecting to the >Internet) at regular intervals. It also updates DHCP info at regular >intervals. I don't know what the modem is looking for, but it seems to >work fine if doesn't find anything. > >In his case the modem has a public IP number, so the probe packets come >from that address. > >- Bob > >Mikael Fors wrote: > > > > Last 24 hours I've been receiving a lot of strange packets on my public > interface. Log has been sanitized. > > > > May 9 10:03:36 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 > a.b.c.d:8 192.168.22.2:0 L=60 S=0x00 I=29112 F=0x0000 T=126 (#24) > > May 9 10:03:36 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 > a.b.c.d:8 192.168.22.2:0 L=60 S=0x00 I=29113 F=0x0000 T=127 (#24) > > May 9 10:03:39 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 > a.b.c.d:8 192.168.22.2:0 L=60 S=0x00 I=29117 F=0x0000 T=127 (#24) > > May 9 10:04:06 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 > a.b.c.d:8 192.168.5.1:0 L=60 S=0x00 I=29177 F=0x0000 T=126 (#24) > > May 9 10:04:06 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 > a.b.c.d:8 192.168.5.1:0 L=60 S=0x00 I=29178 F=0x0000 T=127 (#24) > > May 9 10:04:09 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 > a.b.c.d:8 192.168.5.1:0 L=60 S=0x00 I=29185 F=0x0000 T=127 (#24) > > May 9 10:04:33 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 > a.b.c.d:8 192.168.255.1:0 L=60 S=0x00 I=29235 F=0x0000 T=126 (#24) > > May 9 10:04:33 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 > a.b.c.d:8 192.168.255.1:0 L=60 S=0x00 I=29236 F=0x0000 T=127 (#24) > > May 9 10:04:36 gator kernel: Packet log: eth0o REJECT eth0 PROTO=1 > a.b.c.d:8 192.168.255.1:0 L=60 S=0x00 I=29243 F=0x0000 T=127 (#24) > > > > These packets started trickling here about 48 hours ago, and I have no > clue what it can be. What resides on port 8 and why ICMP??? All of these > packets arrive on the public interface, and contains private networks, > mostly 192.168.x.x networks, but also 172.x.x.x networks show up. > > > > Mikael Fors > > Mora Datorer AB > >-- > >********************************************************* > Bob Johnson Senior Systems Programmer > bobat_private College of Engineering > 523 Weil Hall > 352-392-9217 Office University of Florida > 352-392-7063 Fax Gainesville, FL 32611 >********************************************************* > "Security is not a product, it's a mentality." . .
This archive was generated by hypermail 2b30 : Mon May 14 2001 - 21:36:26 PDT