Re: port scanners/ICMP port unreachable

Brian Utterback (blu@mc.com)
Tue, 28 Mar 1995 15:43:01 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Paul Ferguson: "Re: port scanners/ICMP port unreachable"
Previous message: Oliver Friedrichs: "Re: port scanners/ICMP port unreachable"
Maybe in reply to: John Studarus: "port scanners/ICMP port unreachable"
Next in thread: Aleph One: "Re: port scanners/ICMP port unreachable"

> > 	I was figuring I could sniff the packets leaving my 
> > network and look for ICMP port unreachables since it would be
> > a dead giveaway that someone was trying to light up the TCP ports
> > of one of our computers.
> 
> Why not simply use a 'sane' implementation of ICMP class filtering,
> such as offered in cisco IOS 10.3, to simply block specific classes
> of ICMP traffic?

> Paul Ferguson                         
> US Sprint                                          tel: 703.689.6828
> Managed Network Engineering                  internet: paul@hawk.sprintmrn.com

Maybe I am missing something, but I think the suggestion here is to watch for
ICMP packets as an indication that port scanning was taking place, not to 
prevent it.  This is IDS after all, not FIREWALLS 8-).   Blocking ICMP packets
wouldn't do anything towards this aim.  Now, blocking the traffic while logging
the traffic might do the trick.

Brian Utterback    blu@mc.com    Manager Technical Networks
Mercury Computer Systems, Inc.   (508) 256-1300x168
199 Riverneck Road               (508) 256-3599 FAX
Chelmsford, MA 01824             You can't grep dead trees.

Next message: Paul Ferguson: "Re: port scanners/ICMP port unreachable"
Previous message: Oliver Friedrichs: "Re: port scanners/ICMP port unreachable"
Maybe in reply to: John Studarus: "port scanners/ICMP port unreachable"
Next in thread: Aleph One: "Re: port scanners/ICMP port unreachable"