From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from executioner.lis.net.au ([203.35.83.3]) by speech.braille.uwo.ca with esmtp (Exim 3.35 #1 (Debian)) id 18D1Ue-0001pB-00 for ; Sat, 16 Nov 2002 06:52:08 -0500 Received: from uucp by executioner.lis.net.au with local-rmail (Exim 3.12 #1 (Debian)) id 18D1Ua-0007QB-00 for ; Sat, 16 Nov 2002 22:52:04 +1100 Received: from kerry by gotss1.gotss.net with local (Exim 3.12 #1 (Debian)) id 18D1QV-0002Gn-00 for ; Sat, 16 Nov 2002 19:47:51 +0800 Date: Sat, 16 Nov 2002 19:47:51 +0800 To: speakup@braille.uwo.ca Subject: Re: Strange ICMPLogD problem Message-ID: <20021116194751.A8703@joana.gotss.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from gshang@uq.net.au on Fri, Nov 15, 2002 at 03:20:17PM +1000 From: Kerry Hoath Sender: speakup-admin@braille.uwo.ca Errors-To: speakup-admin@braille.uwo.ca X-BeenThere: speakup@braille.uwo.ca X-Mailman-Version: 2.0.11 Precedence: bulk Reply-To: speakup@braille.uwo.ca List-Help: List-Post: List-Subscribe: , List-Id: Speakup is a screen review system for Linux. List-Unsubscribe: , List-Archive: It appears that someone is pinging your box; or sending icmp trafic to it. icmplog is logging the event; and is failing to do a ptr lookup on the address in question. You could fix this by dropping all icmp trafic from the offending hosts with firewall rules. On Fri, Nov 15, 2002 at 03:20:17PM +1000, Geoff Shang wrote: > Hi: > > I'm investigating what seems to be excessive usage on my internet account. > This might not be related, but I'm getting errors like this following in > syslog: > > Nov 15 15:06:27 data icmplogd: destination unreachable from > [203.241.21.161] > > This is coming up a lot, once every couple of minutes. My investigating > doesn't resolve the address, but I've determined that it belongs to > poscon.co.kr, whoever they are. I've also seen this in syslog: > > Nov 15 15:04:25 data named[302]: ns_forw: > query(161.21.241.203.in-addr.arpa) NS > points to CNAME (ns.poscon.co.kr:) > learnt (CNAME=61.9.208.14:NS=211.47.45.22) > > So it would seem that something or someone is trying to contact this IP > address in Korea. But, and here's where I'm stumped, I don't know what is > doing this or how to find out. I've tried doing a TCP dump on the ethernet > port that connects to the net. In the below output, 144.136.152.169 is my > box. This output was produced by running tcpdump -nli eth1 |grep > 203.241.21.161 > > 15:12:22.006107 144.136.152.169.1025 > 203.241.21.161.53: 3055 (45) > 15:12:22.212485 203.241.21.161 > 144.136.152.169: icmp: 203.241.21.161 udp > port > 53 unreachable > 15:12:30.004769 144.136.152.169.1025 > 203.241.21.161.53: 45347 (45) > 15:12:30.210541 203.241.21.161 > 144.136.152.169: icmp: 203.241.21.161 udp > port > 53 unreachable > 15:12:40.002941 144.136.152.169.1025 > 203.241.21.161.53: 27563 (45) > 15:12:40.209887 203.241.21.161 > 144.136.152.169: icmp: 203.241.21.161 udp > port > 53 unreachable > 15:12:46.002378 144.136.152.169.1025 > 203.241.21.161.53: 49109 (45) > 15:12:46.224578 203.241.21.161 > 144.136.152.169: icmp: 203.241.21.161 udp > port > 53 unreachable > 15:13:06.008228 144.136.152.169.1025 > 203.241.21.161.53: 49109 (45) > 15:13:06.233248 203.241.21.161 > 144.136.152.169: icmp: 203.241.21.161 udp > port > 53 unreachable > 15:13:16.006478 144.136.152.169.1025 > 203.241.21.161.53: 27563 (45) > 15:13:16.212437 203.241.21.161 > 144.136.152.169: icmp: 203.241.21.161 udp > port > 53 unreachable > > So am I right in guessing that someone is sending ICMP packets from > somewhere pretending to be the IP in question, but I can't return them? Is > this something I should be worried about? > > Geoff. > > > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup > > -- Kerry Hoath: kerry@gotss.net kerry@gotss.eu.org or kerry@gotss.spice.net.au ICQ: 8226547 msn: kerry@gotss.net Yahoo: kerryhoath@yahoo.com.au