RE: Strange kernel happenings

From: NESTING, DAVID M (SBCSI) (dn3723at_private)
Date: Thu Nov 01 2001 - 09:52:10 PST

Next message: Ryan Russell: "Re: Strange kernel happenings"

Previous message: Jose Carlos Faial: "Re: Should I be concerned about?"
Maybe in reply to: mstevensonat_private: "Strange kernel happenings"
Next in thread: Ryan Russell: "Re: Strange kernel happenings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This doesn't have anything to do with reverse DNS.  The message is generated
by the IP masquerading code in Linux 2.2 kernels during the "reverse" or
de-masquerade step when processing inbound ICMP packets:  

http://lxr.linux.no/source/net/ipv4/ip_masq.c?v=2.2.19#L1749

Generally ICMP messages like this are in response to an outbound IP packet
from one of your masqueraded hosts.  For some reason the ICMP replies are
getting mangled.

I'd say that this might be due to corruption of the packets (network
problems?) though it's certainly possible this is some kind of ICMP spoofing
attack or probe.  I'm not sure if throwing a mangled ICMP packet describing
activity in the range of ports reserved by Linux for masqueraded traffic
would generate this kind of message or not.

But in any event, this should put you on the right track.  Good luck.

David

-----Original Message-----
From: mstevensonat_private [mailto:mstevensonat_private]
Sent: Thursday, November 01, 2001 11:12 AM
To: incidentsat_private
Subject: Strange kernel happenings


I keep getting the same kernel messages from a few of my linux servers EVERY
DAY:

Kernel Messages:
1,7c1
< ksum from 63.94.31.225!
< IP_MASQ:reverse ICMP: failed checksum from 63.94.31.225!
< IP_MASQ:reverse ICMP: failed checksum from 141.198.38.114!
< IP_MASQ:reverse ICMP: failed checksum from 63.94.31.225!
< IP_MASQ:reverse ICMP: failed checksum from 63.94.31.225!
< IP_MASQ:reverse ICMP: failed checksum from 63.94.31.225!
< IP_MASQ:reverse ICMP: failed checksum from 65.205.2.1!

the IP's however, are not consistent.  Usually different IP's every day.
I've tried to look this up, but am having a hard time finding information on
what this means.  Kinda looks like someone from the outside world is
spoofing IP's, sending ICMP traffic to the server, but when the server tries
to verify with a reverse lookup it flags and says "I don't like ICMP traffic
from this address because it looks suspicious!"    Any ideas anyone? 



Miles Stevenson
QuickHire Network Support Specialist



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ryan Russell: "Re: Strange kernel happenings"
Previous message: Jose Carlos Faial: "Re: Should I be concerned about?"
Maybe in reply to: mstevensonat_private: "Strange kernel happenings"
Next in thread: Ryan Russell: "Re: Strange kernel happenings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 01 2001 - 09:58:28 PST