Security Incidents mailing list archives

Strange kernel happenings

From: mstevenson () quickhire com
Date: Thu, 1 Nov 2001 12:12:20 -0500

I keep getting the same kernel messages from a few of my linux servers EVERY
DAY:

Kernel Messages:
1,7c1
< ksum from 63.94.31.225!
< IP_MASQ:reverse ICMP: failed checksum from 63.94.31.225!
< IP_MASQ:reverse ICMP: failed checksum from 141.198.38.114!
< IP_MASQ:reverse ICMP: failed checksum from 63.94.31.225!
< IP_MASQ:reverse ICMP: failed checksum from 63.94.31.225!
< IP_MASQ:reverse ICMP: failed checksum from 63.94.31.225!
< IP_MASQ:reverse ICMP: failed checksum from 65.205.2.1!

the IP's however, are not consistent.  Usually different IP's every day.
I've tried to look this up, but am having a hard time finding information on
what this means.  Kinda looks like someone from the outside world is
spoofing IP's, sending ICMP traffic to the server, but when the server tries
to verify with a reverse lookup it flags and says "I don't like ICMP traffic
from this address because it looks suspicious!"    Any ideas anyone? 



Miles Stevenson
QuickHire Network Support Specialist



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strange kernel happenings mstevenson (Nov 01)
- Re: Strange kernel happenings Ryan Russell (Nov 01)
- <Possible follow-ups>
- RE: Strange kernel happenings NESTING, DAVID M (SBCSI) (Nov 01)
- RE: Strange kernel happenings Boyan Krosnov (Nov 01)