more dsl log questions

ME dugan at libwais.sonoma.edu
Sun Jan 30 21:00:04 PST 2000


On Mon, 31 Jan 2000, E Frank Ball wrote:
> Subject: more dsl log questions
> I get this in my log file once an hour:
> Jan 30 19:01:10 zouave icmplogd: destination unreachable from localhost
> 
> I know what tcp and udp are, but what's icmp?  And does anybody have a
> clue what this is about.  /etc/cron.hourly is empty.

ICMP is Internet Control Messaging Protocol

More detail see RFC 792 for the original description
or a simple review of:
http://libweb.sonoma.edu/mike/networking/icmppacket.html

Mostly used for things like ping, and messages between hosts about
sessions and services outside what TCP and UDP normally carry.

"Host unreachable" is a message often delivered from ICMP to let your
machine know that a host is unreachable so it does not keep trying (in
simple terms. You can see this as one of the messages in the above web
page.)

> I've gotten a handful of connection attempts in my DSL logs on port 80
> (http), and the some port 113 (ident) attempts from the Cambridge
> computer science lab this weekend, but otherwise the logs have been
> quiet.  The log file isn't as wild and wooley as some people portray the
> internet to be.

People are curious. They may try to see if you have a web server. (I have
been know to do this for people that I know which have xDSL to see if they
are serving anything, but I have not tried to connect to your server.)

One thing that would most likely peak your iterest is if you note you are
being port scanned with a sequencial port scanner. By itself, it is not a
threat in most cases, but sometimes suggests someone is looking for all
services available on your machine to compare to canned exploints to
perform against your machine. tcplogd, icmplogd, and other programs like
modified courtney help to see when you are being scanned for satan (older)
or simple port scans.

(There have been discussions for "31337" port scans using special flag
combinations which are/were not logged by earlier versions of
tcplogd/icmplogd to allow for what have been called "stealth port
scaning" on BUGTRAQ. )

> Also does anyone know of any vulnerabilities of port 37 (time tcp) or
> port 515 (printer).

I do not know of any for these, but I am not current on exploits. There
have been some DoS attacks against earlier LPD services, but more people
have moved over to one of the two newer printer daemons that do not have
publicized attacks. 

Check out places like
http://www.rootshell.com/ or the BUGTRAQ archives for exploits.

Also, if you want an obviously incomplete list of securit related sites
from which to gather others sites:

http://libweb.sonoma.edu/mike/secure.html

identd comes up with a number of services when a remote hosts wants to get
verification that there is a user with specified 'username' most often
used is the ircII client-server implementations.

IMHO identd is lame. Windows and Mac users are offered special services at
the application level with many ircII clients to automatically agree to
whatever username is specified by the client.

-ME






More information about the talk mailing list