more dsl log questions

Mitchell Patenaude mrp at sonic.net
Sun Jan 30 21:04:12 PST 2000


ICMP = Internet Control Message Protocol.  This is the 3rd common
protocol implemented on top of IP, and as the acronym implies, it's 
primary used for control functions.

The most common use of ICMP is to send an ICMP echo packet to a host
which should send a ICMP echoreply packet back.  This is how 'ping'
works. There are other ICMP packets that say things like "send in
smaller chunks" (i.e. reduce MTU), there are those that notify you
that a packet that was sent dies because it's time-to-live ran out
(this is how traceroute works...), etc... 

Lately, there's been a script-kiddie tool called the Tribe Flood
Network (also known as Trintoo, or something like that), which 
uses special ICMP packets as a control mechanism.  Also ICMP is 
commonly used to probe target hosts to determine OS type and version
information (since different OS's respond differently to certain 
malforned packets), and since some otherwise restrictive firewalls
allow ICMP through.  I suspect you're either being probed, or
the TFN command module is sending you commands with bogus return
IP addresses.

   -- Mitch


On Mon, Jan 31, 2000 at 04:28:23AM +0000, E Frank Ball wrote:
> 
> I get this in my log file once an hour:
> 
> Jan 30 19:01:10 zouave icmplogd: destination unreachable from localhost
> 
> I know what tcp and udp are, but what's icmp?  And does anybody have a
> clue what this is about.  /etc/cron.hourly is empty.
> 
> I've gotten a handful of connection attempts in my DSL logs on port 80
> (http), and the some port 113 (ident) attempts from the Cambridge
> computer science lab this weekend, but otherwise the logs have been
> quiet.  The log file isn't as wild and wooley as some people portray the
> internet to be.
> 
> Also does anyone know of any vulnerabilities of port 37 (time tcp) or
> port 515 (printer).
> 
>    E Frank Ball   frankb at efball.com



More information about the talk mailing list