Strange ICMPLogD problem

Kerry Hoath kerry at gotss.net
Sat Nov 16 06:47:51 EST 2002


It appears that someone is
pinging your box; or sending icmp trafic to it.
icmplog is logging the event; and is failing to
do a ptr lookup on the address in question.
You could fix this by dropping all icmp trafic from the offending hosts with firewall rules.
On Fri, Nov 15, 2002 at 03:20:17PM +1000, Geoff Shang wrote:
> Hi:
> 
> I'm investigating what seems to be excessive usage on my internet account.
> This might not be related, but I'm getting errors like this following in
> syslog:
> 
> Nov 15 15:06:27 data icmplogd: destination unreachable from
> [203.241.21.161]
> 
> This is coming up a lot, once every couple of minutes.  My investigating
> doesn't resolve the address, but I've determined that it belongs to
> poscon.co.kr, whoever they are.  I've also seen this in syslog:
> 
> Nov 15 15:04:25 data named[302]: ns_forw:
> query(161.21.241.203.in-addr.arpa) NS
> points to CNAME (ns.poscon.co.kr:)
> learnt (CNAME=61.9.208.14:NS=211.47.45.22)
> 
> So it would seem that something or someone is trying to contact this IP
> address in Korea.  But, and here's where I'm stumped, I don't know what is
> doing this or how to find out.  I've tried doing a TCP dump on the ethernet
> port that connects to the net.  In the below output, 144.136.152.169 is my
> box.  This output was produced by running tcpdump -nli eth1 |grep
> 203.241.21.161
> 
> 15:12:22.006107 144.136.152.169.1025 > 203.241.21.161.53: 3055 (45)
> 15:12:22.212485 203.241.21.161 > 144.136.152.169: icmp: 203.241.21.161 udp
> port
> 53 unreachable
> 15:12:30.004769 144.136.152.169.1025 > 203.241.21.161.53: 45347 (45)
> 15:12:30.210541 203.241.21.161 > 144.136.152.169: icmp: 203.241.21.161 udp
> port
> 53 unreachable
> 15:12:40.002941 144.136.152.169.1025 > 203.241.21.161.53: 27563 (45)
> 15:12:40.209887 203.241.21.161 > 144.136.152.169: icmp: 203.241.21.161 udp
> port
> 53 unreachable
> 15:12:46.002378 144.136.152.169.1025 > 203.241.21.161.53: 49109 (45)
> 15:12:46.224578 203.241.21.161 > 144.136.152.169: icmp: 203.241.21.161 udp
> port
> 53 unreachable
> 15:13:06.008228 144.136.152.169.1025 > 203.241.21.161.53: 49109 (45)
> 15:13:06.233248 203.241.21.161 > 144.136.152.169: icmp: 203.241.21.161 udp
> port
> 53 unreachable
> 15:13:16.006478 144.136.152.169.1025 > 203.241.21.161.53: 27563 (45)
> 15:13:16.212437 203.241.21.161 > 144.136.152.169: icmp: 203.241.21.161 udp
> port
> 53 unreachable
> 
> So am I right in guessing that someone is sending ICMP packets from
> somewhere pretending to be the IP in question, but I can't return them?  Is
> this something I should be worried about?
> 
> Geoff.
> 
> 
> 
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
> 
> 

-- 
Kerry Hoath:  kerry at gotss.net kerry at gotss.eu.org or  kerry at gotss.spice.net.au
ICQ: 8226547 msn: kerry at gotss.net Yahoo: kerryhoath at yahoo.com.au





More information about the Speakup mailing list