On Thu, 1 Nov 2001 mstevenson_at_quickhire.com wrote:
> < ksum from 63.94.31.225!
> < IP_MASQ:reverse ICMP: failed checksum from 63.94.31.225!
> < IP_MASQ:reverse ICMP: failed checksum from 141.198.38.114!
> < IP_MASQ:reverse ICMP: failed checksum from 63.94.31.225!
> < IP_MASQ:reverse ICMP: failed checksum from 63.94.31.225!
> < IP_MASQ:reverse ICMP: failed checksum from 63.94.31.225!
> < IP_MASQ:reverse ICMP: failed checksum from 65.205.2.1!
>
> the IP's however, are not consistent. Usually different IP's every day.
> I've tried to look this up, but am having a hard time finding information on
> what this means. Kinda looks like someone from the outside world is
> spoofing IP's, sending ICMP traffic to the server, but when the server tries
> to verify with a reverse lookup it flags and says "I don't like ICMP traffic
> from this address because it looks suspicious!" Any ideas anyone?
Every IP packet has a checksum attached to it, to help detemine if the
packet has arrived intact. If the packet has been corrupted in some way,
the cheksum will not match the rest of the packet. The normal reason for
these to occur is a flakey network connection. Packets with a bad
checksum will normally be dropped by any router, to this implies that it's
the connection between your machine and its default gateway that is having
trouble.
It's theoretically possible that an attacker on the same layer 2 segment
as you is purposely crafting invalid packet to some end, but of coure the
bad network theory seems much more probable.
Ryan
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Received on Nov 01 2001
Intro
