On Thu, 1 Nov 2001 mstevensonat_private wrote: > < ksum from 63.94.31.225! > < IP_MASQ:reverse ICMP: failed checksum from 63.94.31.225! > < IP_MASQ:reverse ICMP: failed checksum from 141.198.38.114! > < IP_MASQ:reverse ICMP: failed checksum from 63.94.31.225! > < IP_MASQ:reverse ICMP: failed checksum from 63.94.31.225! > < IP_MASQ:reverse ICMP: failed checksum from 63.94.31.225! > < IP_MASQ:reverse ICMP: failed checksum from 65.205.2.1! > > the IP's however, are not consistent. Usually different IP's every day. > I've tried to look this up, but am having a hard time finding information on > what this means. Kinda looks like someone from the outside world is > spoofing IP's, sending ICMP traffic to the server, but when the server tries > to verify with a reverse lookup it flags and says "I don't like ICMP traffic > from this address because it looks suspicious!" Any ideas anyone? Every IP packet has a checksum attached to it, to help detemine if the packet has arrived intact. If the packet has been corrupted in some way, the cheksum will not match the rest of the packet. The normal reason for these to occur is a flakey network connection. Packets with a bad checksum will normally be dropped by any router, to this implies that it's the connection between your machine and its default gateway that is having trouble. It's theoretically possible that an attacker on the same layer 2 segment as you is purposely crafting invalid packet to some end, but of coure the bad network theory seems much more probable. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 01 2001 - 10:04:30 PST