|
| PORTAIL | ANNUAIRE | ARTICLES | COMPARATEUR HÉBERGEURS | DEVIS | FORUMS | RÉDUCTEUR D'URL |
|
|
|
|
||||||
 |
|
|
LinkBack | Outils de la discussion |
17/03/2007, 19h12
|
#1 |
Messages: n/a
Hébergeur: |
Why are alt DNS servers getting ICMP responses?
Firewall logs show increasing numbers of ICMP type 3 responses to alternate
DNS servers. I do not see any requests to or from those servers. What could be prompting the ICMP responses? Thanks, nf |
|
|
17/03/2007, 19h25
|
#2 |
|
Messages: n/a
Hébergeur: |
Re: Why are alt DNS servers getting ICMP responses?
"nutso fasst" <no.replies@no.where> wrote in message news:eaBLD$LaHHA.4000@TK2MSFTNGP02.phx.gbl... > Firewall logs show increasing numbers of ICMP type 3 responses to > alternate > DNS servers. I do not see any requests to or from those servers. What > could > be prompting the ICMP responses? You have left your network design completely unexplained except to mention a "firewall" without describing its placement or function -- it might be between your internal network and the internet or a mere "local or personal firewall" on a single machine, or something else. It is possible that the ICMP responses (to request traffic never sent by that machine) is being caused by some form of the ping of death attack, especially to a distributed denial of service. What does the net look like? What addresses are the source addresses of these ICMP packets? (Where is there source, inside or outside your netwokr?) These might be spoofed but may not be if the are "relatively innocent" machines being co-opted for such an attack. -- Herb Martin, MCSE, MVP http://www.LearnQuick.Com (phone on web site) |
|
|
|
17/03/2007, 21h30
|
#3 |
|
Messages: n/a
Hébergeur: |
Re: Why are alt DNS servers getting ICMP responses?
"Herb Martin" <news@learnquick.com> wrote in message news:uuzecGMaHHA.4220@TK2MSFTNGP03.phx.gbl... > What does the net look like? What addresses are the source addresses > of these ICMP packets? (Where is there source, inside or outside > your netwokr?) These might be spoofed but may not be if the are > "relatively innocent" machines being co-opted for such an attack. Thanks for the reply. The ICMP source is the local server. The only info logged is the source IP (local server's internet IP address), the destination IPs (ISP's internet DNS servers), and the ICMP type (3). The local IP is the internet side of a private network - user traffic only, no servers (primary DNS is hosted locally at another IP). I do not show ANY other traffic between the local server and the internet DNS servers - nothing incoming for the local server to respond to with ICMP 3. Nor is there any relationship between internal network traffic and the ICMP 3 responses. I am currently blocking the outgoing ICMP type 3. The log entries appear as sequences of 3, 6 or 9 ICMP outgoing - 3 to one external IP, then 3 or 6 to another. I first noticed this about a month ago as an occasional thing. Now it's every few minutes. nf |
|
|
|
20/03/2007, 00h34
|
#4 |
|
Messages: n/a
Hébergeur: |
Re: Why are alt DNS servers getting ICMP responses?
Still not sure what was producing these, but disabling recursion in primary
DNS and changing some 'log only' rules for temporary monitoring in the FW has stopped them. nf |
|
|
|
20/03/2007, 00h46
|
#5 |
|
Messages: n/a
Hébergeur: |
Re: Why are alt DNS servers getting ICMP responses?
Oops, never mind, they're baaack. Should've checked logs immediately before
posting. |
|
|
|
| Outils de la discussion | |
|
|
