[clug] Dropped icmp packets - means what?
Marek Samoc
mjs111 at rsphy1.anu.edu.au
Tue Aug 26 09:52:34 EST 2003
On Mon, 25 Aug 2003, Sam Couter wrote:
SC> Felix Karpfen <felixk at webone.com.au> wrote:
SC> > e) these latest pings use the icmp protocol, all are sent from port 8
SC> > and all are directed at port 0.
SC> >
SC> > And I understand _none_ of the information contained in e).
SC>
SC> ICMP is a control protocol. It's used by computers to signal funny stuff
SC> like "nobody listening on that port!", amongst other things. ICMP type 8
SC> (not port 8) is ECHO_REQUEST. It means "Please send me an ECHO_REPLY
SC> packet", which is just another ICMP packet type.
SC>
SC> The port 0 bit is really an ICMP code. That field is sometimes used as a
SC> subtype field for ICMP messages. ICMP ECHO doesn't have any use for it.
SC>
SC> > Once a week (on Saturdays), for my edification and entertainment, I run
SC> > a reverse DNS lookup on all the uninvited visitors whose pings have got
SC> > dropped. While the full output of the last lookup would lead to an even
SC> > longer attachment, I am forwarding a fraction of the messages sent to
SC> > the console during the latest reverse DNS - just to give flavour to my
SC> > puzzlement.
SC>
SC> Ignore them. This is the action of a worm that only affects Win32
SC> systems (I think it's called Nachi). If your system isn't Win32, or if
SC> it's patched, you don't need to worry. The ICMP packets will come from
SC> infected Win32 systems all over the 'net.
SC>
This snippet from another list might be of help here:
--------- from oz-isp ------
> <quoting Jamie Lenehan>
> I looked at this some more and all the pings from the virus have the
> TOS set to Minimize-Delay (0x10) while those from normal pings and
> traceroutes don't. So it's actually possible to just block those from
> the virus.
>
> So I have this in my firewall now:
>
> # Drop ICMP packets with TOS set to Minimize-Delay
> iptables -A $CHAIN_IN -p icmp --icmp-type echo-request -m tos --tos
> 0x10 -j log_info
>
> which happily drops the virus icmps:
> </end quote>
----- end quote from oz-isp -----
Marek
More information about the linux
mailing list