Re: icmp: type-#69

[Tim Haynes <usenet@stirfried.vegetable.org.uk>]

Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com> writes:

> I noticed (among the more common icmp: echo request) these odd icmp
> types. The external net, my firewall is connected to, is plagued by
> smurf-attacks from various sources. So I have tcpdump watching.
>
> Of what I gather, this icmp-type should not exist. Can anyone shed some
> light on this:
>
> | 11:49:16.273069 62.211.198.163 > x.y.z.255: icmp: type-#69
> | 11:54:58.078683 62.211.198.163 > x.y.z.255: icmp: type-#69
[snip]

Could you include a complete `tcpdump -X' on one or two of the packets,
maybe make a series of them available for download in libpcap form so I can
oogle them in ethereal?
Preferably, also, can you provide an iptables firewall log entry as well so
we can see more relevant fields?

You're right, ICMP type 69 is pretty darn' invalid - a quick `ipchains -h
icmp' makes it obvious that the highest valid ICMP type is 18.

Are you filtering outgoing icmp-parameter-problem types? Because if not, I
think you probably want to be rate-limiting them (and probably all outgoing
ICMP and, for that matter, UDP) seriously.

The above does smell like someone attempting to DoS either you, or some
poor sod in Italy, by sending invalid ICMP to your broadcast address to see
who responds. 
(There's no guarantee that 62....163 is the real source of the packets
here; that's why I want a firewall log so you can check for (a) consistent
TTLs and (b) realistic TTLs given a comparison against traceroute to that
IP# - if the TTLs don't match, then you know the source IP# has been
spoofed so it's an attempt by a *third* party to get *you* to DoS *them*.)

~Tim
-- 
Can you tell me how to get,                 |piglet@stirfried.vegetable.org.uk
How to get to Sesame Street?                |http://spodzone.org.uk/