what is this probe??
Mitchell Patenaude
mrp at sonic.net
Thu Jul 6 23:51:11 PDT 2000
On Thu, Jul 06, 2000 at 10:02:10PM +0000, E Frank Ball III wrote:
>>
>> I got this probe today. It is a ICMP connection to port 13?
>> Anybody know what they were trying to do? I've only seen ICMP
>> connections to port 0 before.
>>
>> Security Violations
>> =-=-=-=-=-=-=-=-=-=
>> Jul 6 13:43:15 zouave kernel: Packet log: input DENY eth0 PROTO=1
>> 172.31.105.12:3 209.204.172.XXX:13 L=56 S=0x00 I=54743 F=0x0000 T=48 (#3)
>>
>> Also the source address is a private network address, the firewall rule
>> that caught it was a one I put in for IP address spoofing.
On Thu, Jul 06, 2000 at 03:46:28PM -0700, Steve replied
>
> Port 13 is the time port. Don't know of any exploits on that port.
But it is often used to profile a system prior to some other attach, since
formatting clues can reveal things like OS and Revision, etc.
However, I don't remember any space in the ICMP protocol for a port to
be specified. Now i don't have the RFC handy, and I'm not about to go
look it up just for this. but I can't think of a reason why you'd want
one. I know that some of the DDOS tools use funky ICMP packets as a
control conduit, so it might be a probe for one of those.
Any other connection attempts from that IP? If it was a probe, it probably
wann't the only one.
-- Mitch.
More information about the talk
mailing list