what is this probe??

Mitchell Patenaude mrp at sonic.net
Thu Jul 6 23:51:11 PDT 2000


On Thu, Jul 06, 2000 at 10:02:10PM +0000, E Frank Ball III wrote:
>> 
>> I got this probe today.  It is a ICMP connection to port 13?
>> Anybody know what they were trying to do?   I've only seen ICMP
>> connections to port 0 before. 
>> 
>> Security Violations
>> =-=-=-=-=-=-=-=-=-=
>> Jul  6 13:43:15 zouave kernel: Packet log: input DENY eth0 PROTO=1 
>> 172.31.105.12:3 209.204.172.XXX:13 L=56 S=0x00 I=54743 F=0x0000 T=48 (#3) 
>> 
>> Also the source address is a private network address, the firewall rule
>> that caught it was a one I put in for IP address spoofing.

On Thu, Jul 06, 2000 at 03:46:28PM -0700, Steve replied
> 
> Port 13 is the time port.   Don't know of any exploits on that port.

But it is often used to profile a system prior to some other attach, since
formatting clues can reveal things like OS and Revision, etc.

However, I don't remember any space in the ICMP protocol for a port to
be specified.  Now i don't have the RFC handy, and I'm not about to go
look it up just for this. but I can't think of a reason why you'd want
one.  I know that some of the DDOS tools use funky ICMP packets as a 
control conduit,  so it might be a probe for one of those.

Any other connection attempts from that IP?  If it was a probe, it probably
wann't the only one.

   -- Mitch.




More information about the talk mailing list