Home page logo
/

snort logo Snort mailing list archives

RE: ICMP Destination Unreachable (Communication Administratively Prohibited)
From: "Ofir Arkin" <ofir () sys-security com>
Date: Sat, 25 Aug 2001 13:29:22 +0200

Ok,

[**] [1:485:1] ICMP Destination Unreachable (Communication Administratively
Prohibited) [**]
08/21-17:06:51.784780 157.130.91.86 -> 203.115.120.210
ICMP TTL:243 TOS:0x0 ID:51765 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
203.115.120.210:1025 -> 63.80.0.50:53
UDP TTL:45 TOS:0x0 ID:52288 IpLen:20 DgmLen:79
Len: 59
** END OF DUMP

You tried accessing port 53 UDP on the targeted system 63.80.0.50
A filtering device 157.130.91.86 blocked your attempts and also alerted you that he is alive and filtering :)


Ofir

-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
Dushyanth Harinath
Sent: ש 25 אוגוסט 2001 12:04
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] ICMP Destination Unreachable (Communication Administratively Prohibited)

Hi,
Thanks for the reply.Iam in the process of going through ur site and "ICMP
usage in scanning" whitepaper.Keep up the good work :D.

Here is the complete trace from alerts log file.

[**] [1:485:1] ICMP Destination Unreachable (Communication Administratively
Prohibited) [**]
08/21-17:06:51.784780 157.130.91.86 -> 203.115.120.210
ICMP TTL:243 TOS:0x0 ID:51765 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
203.115.120.210:1025 -> 63.80.0.50:53
UDP TTL:45 TOS:0x0 ID:52288 IpLen:20 DgmLen:79
Len: 59
** END OF DUMP

Thanks again,
Best regards
dushyanth


Dushyanth,

The Error message indicates that the destination system is configured
to reject datagrams from the sending system. This error is used when
datagrams based on some sort of criteria are being filtered by a
filtering device (firewall/router/other filtering devices) restrictions
or other security measures.

We can conclude that our Destination Host might be up and running, but
we cannot reach it, since the filtering device is blocking our packets,
and is instructing us to stop sending datagrams.

With the next example a router is configured to block all requests,
coming from the Internet, targeting port 53 on the destination machine
it applies its ACL on:

05/09/01-12:29:41.399543 RoutersIP -> SourceIP 
ICMP TTL:244 TOS:0x0 ID:24442 IpLen:20 DgmLen:56 
Type:3 Code:13 DESTINATION UNREACHABLE: PACKET FILTERED 
** ORIGINAL DATAGRAM DUMP: 
SourceIP:4667 -> DestinationIP:53 
TCP TTL:53 TOS:0x0 ID:40019 IpLen:20 DgmLen:60 
**U****F Seq: 0x97EABAF6 Ack: 0x1C1D1E1F Win: 0x2223 TcpLen: 8 
UrgPtr: 0x2627 
** END OF DUMP 
00 00 00 00 45 00 00 3C 9C 53 40 00 35 06 29 B0 ....E..<.S ()  5 ). 
xx xx xx xx yy yy yy yy 12 3B 00 35 97 EA BA F6 .....Z...;.5....


For more information please see "ICMP Usage In Scanning" Chapter 2 page
20, 52-53. Available from
http://www.sys-security.com/html/projects/icmp.html. 


Regarding your example, these systems report that communication from
your system was not able to reach its destination because a filtering
device blocked your packets.

If you had put the complete trace we would be able to tell what
communication exactly caused this error message to be trigger.


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Dushyanth
Harinath
Sent: ù 25 àåâåñè 2001 9:19
To: snort-users () lists sourceforge net
Subject: [Snort-users] ICMP Destination Unreachable (Communication
Administratively Prohibited)

Hi guys,
Iam new to snort and have a little bit of networking knowledge.

I have installed snort in my server with snortdb support aand i have
also
installed snortreport.Snort is working fine .I have this snort alert's
from
more that 10 source ip's targetting machine on my network.The exact
message is.

ICMP Destination Unreachable (Communication Administratively
Prohibited)

CID:1 [**] ICMP Destination Unreachable (Communication Administratively
Prohibited) [**]
2001-08-21 17:06:51 157.130.91.86 -> 203.115.120.210
ICMP TTL:243 TOS:0x0 ID:51765 IPLen: DgmLen:56 HLen:5 CSumIP:0xC070
Type:3 Code:13 ID: Seq:

This is just one such alert .I have got 12 alerts from different ip's
in the
last 12 hrs and above 48 in the last 30 days.

I know i can disable this alert by commenting out the line in
icmp.rules.But
iam not sure what this means.

I will be glad to RTFM or will someone please enlighten me about this.

Best regards
dushyanth


-- 
My computer, my documents, my briefcase, my A??!

Dushyanth Harinath
Programmer/Sys Admin
Archean Infotech Limited
Ph No:091-040-3228666,6570704,3228674
http://www.archeanit.com



-----------------------------------------
This email was sent using SquirrelMail.
   "Webmail for nuts!"
http://squirrelmail.org/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]