Strange ICMPLogD problem

Geoff Shang gshang at uq.net.au
Fri Nov 15 00:20:17 EST 2002 

Hi:

I'm investigating what seems to be excessive usage on my internet account.
This might not be related, but I'm getting errors like this following in
syslog:

Nov 15 15:06:27 data icmplogd: destination unreachable from
[203.241.21.161]

This is coming up a lot, once every couple of minutes.  My investigating
doesn't resolve the address, but I've determined that it belongs to
poscon.co.kr, whoever they are.  I've also seen this in syslog:

Nov 15 15:04:25 data named[302]: ns_forw:
query(161.21.241.203.in-addr.arpa) NS
points to CNAME (ns.poscon.co.kr:)
learnt (CNAME=61.9.208.14:NS=211.47.45.22)

So it would seem that something or someone is trying to contact this IP
address in Korea.  But, and here's where I'm stumped, I don't know what is
doing this or how to find out.  I've tried doing a TCP dump on the ethernet
port that connects to the net.  In the below output, 144.136.152.169 is my
box.  This output was produced by running tcpdump -nli eth1 |grep
203.241.21.161

15:12:22.006107 144.136.152.169.1025 > 203.241.21.161.53: 3055 (45)
15:12:22.212485 203.241.21.161 > 144.136.152.169: icmp: 203.241.21.161 udp
port
53 unreachable
15:12:30.004769 144.136.152.169.1025 > 203.241.21.161.53: 45347 (45)
15:12:30.210541 203.241.21.161 > 144.136.152.169: icmp: 203.241.21.161 udp
port
53 unreachable
15:12:40.002941 144.136.152.169.1025 > 203.241.21.161.53: 27563 (45)
15:12:40.209887 203.241.21.161 > 144.136.152.169: icmp: 203.241.21.161 udp
port
53 unreachable
15:12:46.002378 144.136.152.169.1025 > 203.241.21.161.53: 49109 (45)
15:12:46.224578 203.241.21.161 > 144.136.152.169: icmp: 203.241.21.161 udp
port
53 unreachable
15:13:06.008228 144.136.152.169.1025 > 203.241.21.161.53: 49109 (45)
15:13:06.233248 203.241.21.161 > 144.136.152.169: icmp: 203.241.21.161 udp
port
53 unreachable
15:13:16.006478 144.136.152.169.1025 > 203.241.21.161.53: 27563 (45)
15:13:16.212437 203.241.21.161 > 144.136.152.169: icmp: 203.241.21.161 udp
port
53 unreachable

So am I right in guessing that someone is sending ICMP packets from
somewhere pretending to be the IP in question, but I can't return them?  Is
this something I should be worried about?

Geoff.

More information about the Speakup mailing list