ICMP -- why?

ICMP -- why?

Post by Jan W. Stumpe » Fri, 16 Mar 2001 05:16:38



I found this in the syslog:

Mar 13 20:08:18 altair kernel: Packet log: input ACCEPT ppp0
PROTO=1 10.10.0.9:3 62.59.145.20:1 L=56 S=0x00 I=64568 F=0x0000
T=245 (#7)

(ACCEPT  beacause at the moment I only log, but not block, ICMP.
I am still trying to understand it.)

-- What did the sender hope to achieve?
-- Should I complain to the ISP for letting such a packet (with
   10.10.0.9 source address) through? I am on dialup (ppp) line.
   At the moment of this incident my dynamic IP was
   62.59.145.20.

regards, Jan

 
 
 

ICMP -- why?

Post by Lew Pitch » Fri, 16 Mar 2001 05:42:03




Quote:>I found this in the syslog:

>Mar 13 20:08:18 altair kernel: Packet log: input ACCEPT ppp0
>PROTO=1 10.10.0.9:3 62.59.145.20:1 L=56 S=0x00 I=64568 F=0x0000
>T=245 (#7)

>(ACCEPT  beacause at the moment I only log, but not block, ICMP.
>I am still trying to understand it.)

>-- What did the sender hope to achieve?
>-- Should I complain to the ISP for letting such a packet (with
>   10.10.0.9 source address) through? I am on dialup (ppp) line.
>   At the moment of this incident my dynamic IP was
>   62.59.145.20.

ICMP messages are used by TCP/IP for control purposes. You may disable
transport of some of them (i.e. PING REQUEST, PING REPLY, etc.) but
the majority of them are useful notification of errors. It wouldn't be
a good idea to block them indiscriminately. In this case, you're
getting a "Destination Unreachable / Host Unreachable" error _from_
10.10.0.9 to a datagram that _you_ supposedly sent. This ICMP message
_may_ be part of a DoS attack against your site, but if you only got
one (or even just a few), then it probably isn't.  

Granted that the 10/8 block of netaddresses aren't supposed to be
routable, so the ISP _might_ have slipped up here. OTOH, some ISPs
implement their dialup lines in one of the unroutable blocks, and NAT
them to the internet at their own sites. In all, the 10.10.0.9 source
address _might_ have been local to the ISPs network, and might not be
routed to the internet (your ppp link to the ISP doesn't count 'cause
it's a point-to-point connection between two hosts, and the internet
isn't part of _that_ route). Anyway, the ICMP packet you got is the
result of exactly that sort of blocking effort; (presumably) you tried
to connect to 10.10.0.9, and a router sent you back a "Host
Unreachable" packet to tell you to stop.

If you want to examine the packet yourself, take a look at
http://www.isi.edu/in-notes/iana/assignments/icmp-parameters
which describes the ICMP type and code values. In the example packet
you showed us
  Mar 13 20:08:18 altair kernel: Packet log: input ACCEPT ppp0
  PROTO=1 10.10.0.9:3 62.59.145.20:1 L=56 S=0x00 I=64568 F=0x0000
  T=245 (#7)
the PROTO=1 indicates that it's an ICMP packet,
the source address (10.10.0.9) tells you who sent it
the port number on the source address (:3) tells you the ICMP type
the destination address (62.59.145.20) tells you who should receive it
the port number on the destination address (:1) tells you the ICMP
code

Lew Pitcher
Information Technology Consultant
Toronto Dominion Bank Financial Group


(Opinions expressed are my own, not my employer's.)

 
 
 

ICMP -- why?

Post by Rick Matthe » Fri, 16 Mar 2001 08:08:15



Quote:>I found this in the syslog:

>Mar 13 20:08:18 altair kernel: Packet log: input ACCEPT ppp0
>PROTO=1 10.10.0.9:3 62.59.145.20:1 L=56 S=0x00 I=64568 F=0x0000
>T=245 (#7)

This will help you decrypt icmp messages:
http://www.robertgraham.com/pubs/firewall-seen.html#2

Before you start blocking them, you need to read this:
http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-5.html#ss5.2

--
Thought for the day:
<http://mysite.directlink.net/matthews/smiles/started.htm>

 
 
 

1. ICMP redirects at eth0 ignored by 1.3.x kernels, why?

Since I started running 1.3.x kernels I get hundreds of messages in my messages
file informing me that an ICMP redirect (which comes from our router) was
ignored by eth0 (the linux machines's 3c509B network card). My router correctly
advertises itself as the default route but the 1.3.x kernels seem to ignore
this (although they work correctly). What can I do to change this new "feature"
?

-------------------
W.R. de Kler

2. which is startup file?

3. Why "ping" can't recognize the "icmp: echo reply" message ?

4. Squid DNS-Problem with 1&1

5. why ICMP redirects?

6. Year 2000 problem?

7. why this icmp message: admin prohibited filter

8. Linux distribution howto?

9. IP Forwarding problem fixed, but why did SSH and ICMP packets never need to MASQUERADE?

10. Why am I getting ICMP redirects?

11. Why doesn't kernel store ICMP redirect in the routing tables?

12. icmp : does icmp have no dependency on dns?

13. ICMP HOST cannot build IP Header address to echo ICMP HOST