Re: port scanners/ICMP port unreachable

Andrew Cowell (cowell@cs.utk.edu)
Wed, 29 Mar 1995 12:12:33 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Andrew Cowell: "Re: On alarms and paging..."
Previous message: Bryan D. Boyle: "Re: On alarms and paging..."
In reply to: Oliver Friedrichs: "Re: port scanners/ICMP port unreachable"
Next in thread: John Studarus: "Re: port scanners/ICMP port unreachable"

From: Oliver Friedrichs <iceman@MBnet.MB.CA>
Subject: Re: port scanners/ICMP port unreachable
Date: Tue, 28 Mar 1995 21:08:51 -0600 (CST)

> On Tue, 28 Mar 1995, Dan Pollack wrote:
> 
> 	icmpinfo only catches incoming icmp messages - in this case we're 
> looking for outgoing port unreachable messages - to detect someone trying 
> to connect to an invalid port.

I noticed that, then just went to a SunOS 4.1.3 machine with /dev/nit
and ran

# etherfind -proto icmp

Works like a charm.  Then just:
# egrep unreach /var/tmp/icmp.scan
ICMP from zeus.cs.uh.edu to UTKCS2.CS.UTK.EDU dst unreachable bad port
ICMP from 192.40.201.3 to CS.UTK.EDU dst unreachable bad host

Pipe it through sort and it groups by originating hosts, etc...

--
Andrew E. B. Cowell <cowell@cs.utk.edu> | "And the mountainside opened, a
Sys Admin, Computer Science Department  |  moment to pray for all the souls
The University of Tennessee, Knoxville  |  he'd come to save...now he couldn't
WWW: http://www.cs.utk.edu/~cowell/     |  save himself" [Legendary Pink Dots]

Next message: Andrew Cowell: "Re: On alarms and paging..."
Previous message: Bryan D. Boyle: "Re: On alarms and paging..."
In reply to: Oliver Friedrichs: "Re: port scanners/ICMP port unreachable"
Next in thread: John Studarus: "Re: port scanners/ICMP port unreachable"