iptables, icmp type 3, bogus packet data, new exploit ?

iptables, icmp type 3, bogus packet data, new exploit ?

Post by nobod » Mon, 11 Jun 2001 04:22:52



I have been getting strange destination unreachable packets from two
2.4.x kernel machines running iptables. They seem to contain data about
unreachable outgoing connections which have strange flags (always
including RST), implying they are a reply from the target machine, but
the icmp type 3 packets are not from the unreachable target itself. Most
recently, the supposed unreachable host is an IANA reserved address, so
couldn't have been a true source for a reply, nor could the rely have
gotten routed back that far.  (I'm probably not seeing this from my
ipchains 2.2.18 kernel machines because I have allowed icmp type 3,
nonstateful, through the ipchains firewalls.)  Traffic is coming from
the same domain (alter.net), and the same packet id number accompanies
supposedly different packet flags, and the messages may stretch over
hours.

Examples:

Quote:> Jun  4 11:12:43 myserver kernel: IN=eth0 OUT= MAC=00:02:e1:11:d6:32:00:10:0d:3b:b4:00:08:00 SRC=157.130.215.21 DST=myserver LEN=56 TOS=0x00 PREC=0x00 TTL=241 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=myserver DST=209.209.16.76 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=766 DF PROTO=TCP SPT=1024 DPT=139 WINDOW=0 RES=0x17 RST FIN URGP=0 ]
> Jun  4 18:47:27 myserver kernel: IN=eth0 OUT= MAC=00:02:e1:11:d6:32:00:10:0d:3b:b4:00:08:00 SRC=157.130.215.21 DST=myserver LEN=56 TOS=0x00 PREC=0x00 TTL=241 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=myserver DST=209.209.16.76 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=766 DF PROTO=TCP SPT=1024 DPT=139 WINDOW=18176 RES=0x36 URG PSH SYN FIN URGP=0 ]
> Jun  4 21:14:07 myserver kernel: IN=eth0 OUT= MAC=00:02:e1:11:d6:32:00:10:0d:3b:b4:00:08:00 SRC=157.130.215.21 DST=myserver LEN=56 TOS=0x00 PREC=0x00 TTL=241 ID=0 PROTO=ICMP TYPE=3 CODE=1 [SRC=myserver DST=209.209.16.76 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=766 DF PROTO=TCP SPT=3072 DPT=139 WINDOW=21280 RES=0x3f URG RST SYN URGP=13360 ]

In this first case, a traceroute back to 209.209.16.67 doesn't go
anywhere near alter.net.   The server was running samba, but restricted
on the firewall via both tcp and udp to a subnet of addresses at my work
domain. I read in a thread on a different list that this my indicate
that the true source lies behind alter.net.

and most recently

Jun  8 13:17:05 mydesktop kernel: IN=eth0 OUT=
MAC=00:02:e3:0b:ff:05:08:00:3e:02:e7:0f:08:00 SRC=157.130.143.153
DST=mydesktop LEN=56 TOS=0x00 PREC=0x00 TTL=246 ID=0 PROTO=ICMP TYPE=3
CODE=1 [SRC=mydesktop DST=67.67.67.67 LEN=48 TOS=0x00 PREC=0x00 TTL=127
ID=51728 DF PROTO=TCP SPT=1278 DPT=1227 WINDOW=59 RES=0x1e ACK PSH RST
URGP=20358 ]  

Something is wrong with my desktop's ISPs routing in the later case as a
traceroute to 67.67.67.67 goes on forever in an endless loop, and is not
dropped !  I have no idea r.e. source port 1278 or destination 1227, but
nothing shows up on netstat -atn as running there.

Questions:

1. Where are these packets coming from, really ?
2. Why are they being sent ? Are they an attack ? A misconfiguration ?
Is there something to be gained, something exploitable in 2.4.5 and
iptables ? If nonstateful icmp type 3 is accepted, would these packets
break something or initiate some response that would tell an attacker
something ?
3. Is someone trying to explore routing in my server and desktop
domains, and the machine addresses above are randomly choosen to lie
within them in order to get back in through any firewall, perhaps ?
4. Has someone already cracked these machines, and I'm seeing traces of
scans going out ?  I don't have nmap or satan on these machines, rpm -Va
is giving me no MD5 errors in binaries, just configuration files.  A
saved list of MD5 sums against binaries compared OK on the server at
work.
5. Since the domains of the work and home machine are unrelated, is
someone targeting me, personally ?
6.  Is my abysmal lack of knowledge showing here, and there is some
simple explanation for these packets (I've kept packet logs for a year
on one machine, and never seen anything like this until the last few
days) ?

Any comments or suggestions would be greatly appreciated.