[plug] Strangeness at the firewall

Matt Kemner zombie at penguincare.com.au
Thu Jan 29 23:28:04 WST 2004


On Thu, 29 Jan 2004, quoth bob:

> Can anyone tell me why I'm logging heaps of the following at the moment?
> (and what the second SRC DST IP's imply) (oh and 192.168.132.70 is not
> something on my lan so its a Martian). Is this a routing glitch?
>
> Jan 29 21:33:01 fluff kernel: ICMP Dropped IN=ppp0 OUT= MAC=
> SRC=192.168.132.70 DST=203.59.131.96 LEN=56 TOS=0x0C PREC=0x00 TTL=248
> ID=4097 DF PROTO=ICMP TYPE=3 CODE=0 [SRC=203.59.131.96 DST=211.26.91.96
> LEN=134 TOS=0x00 PREC=0x00 TTL=58 ID=28991 FRAG:64 PROTO=TCP ]

This is a type 3 code 0 ICMP ("network unreachable") packet, which claims
to be in response to a TCP packet you (203.59.131.96) sent to 211.26.91.96
(096.pth0604.pth.iprimus.net.au) - and the origin of the ICMP packet is
192.168.132.70.

It's possible iprimus use 192.168.* addresses for their routers, and that
one of those routers is just letting you know that the host you were
talking to  (dialup or PPPoE or whatever) has just dropped offline.


It is also possible that someone is forging these ICMP packets (which is
far too easy to do) in the attempt to break your connection to that IP,
although in this case that seems unlikely.

However when I was working for a large ISP I regularly saw people use
false "unreachable" to try and forcibly disconnect others from IRC/game
servers etc.

 - Matt




More information about the plug mailing list