Sorry, but I think that I did not understand what you said in your answer. Really ICMP has many types, but ICMP is encapsulated in IP datagrams. Transportīs headers (UDP or TCP) are included in ICMP error messages. This traffic seems for me how one more trojan or DDoS agent. Generally, this malicious softwares use UDP to communicate with remote server. > ICMP have many types some of them are UDP packets (refer to TCP/IP II ), to > fully understand the traffic flow run "soop -v -d interface_name > 68.60.32.5" if u using Unix box or any packet capture tool on NT to capture > the payload on ur sensor that it detected this alert. > > Most likely and this just a guess with looking to ur captured traffic u'll > find that ur host x.x.x.4 tried trace route or (some other type of ICMP > packets that use UDP) to 68.60.32.5 and when this host or the > router/firewall in front of it tried to reply to ur host ur firewall > generated the "ICMP Destination Unreachable(Communication Administratively > Prohibited)" > > This is a just rough explanation with me knowing where ur sensor is located > > Best Regards > > Ohanes Semerjian > PGP kEY > 6604 2A46 E64F BEBF A4B7 9D01 9E08 399C 9D45 3254 > > > -----Original Message----- > From: Jeremy Junginger [mailto:jjungingerat_private] > Sent: Tuesday, 17 September 2002 1:31 > To: incidentsat_private > Subject: Interesting packets > > > I've been tracing these packets for a while now, and am having a bit of > trouble deciphering what's happening. It appears that this host is > attempting to contact an external host over udp port 8197 where the > firewall blocks it. Interesting points are: > > It looks like host x.x.x.4 is initiating a udp session with 68.60.32.5 > over port 8197. > We block this port with egress filtering at the firewall, as it is not a > dataflow we utilize in our production systems. > Anybody deciphered similar alerts? > > > Generated by ACID v0.9.6b21 on Mon September 16, 2002 08:02:58 > > ------------------------------------------------------------------------ > ------ > #(1 - 8399) [2002-09-16 06:50:18] ICMP Destination Unreachable > (Communication Administratively Prohibited) > IPv4: 68.60.32.249 -> x.x.x.4 > hlen=5 TOS=0 dlen=56 ID=2147 flags=0 offset=0 TTL=241 chksum=31000 > ICMP: type=Destination Unreachable code=Packet Filtered > checksum=42554 id= seq= > Payload: length = 32 > > 000 : 00 00 00 00 45 00 00 3D 78 26 00 00 70 11 8B 34 ....E..=x&..p..4 > 010 : AC 10 37 04 44 3C 20 05 0F 72 00 35 00 29 46 E8 ..7.D< ..r.5.)F. > > Original IP information: UDP x.x.x.4 x.xyz.com 17468 68.60.32.5 > ns01.pntiac01.mi.comcast.net 8197 > > -Jeremy > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 17 2002 - 17:58:45 PDT