Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » General Security Discussion » ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited


Posted by FUM on March 29, 2008 16:59:07

I keep getting these messages in my IDS logs:

Date: 03/23 08:33:30
Name: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited
Priority: 3
Type: Misc activity
IP Info: 192.168.1.64:1082 -> 64.69.36.85:27016
Refs:

Date: 03/23 08:33:30
Name: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited
Priority: 3
Type: Misc activity
IP Info: 192.168.1.64:1082 -> 67.159.194.130:27015
Refs:

Date: 03/23 08:49:18
Name: MS-SQL probe response overflow attempt
Priority: 1
Type: Attempted User Privilege Gain
IP Info: 69.9.42.167:27015 -> 192.168.1.64:43620
Refs:

Date: 03/23 09:12:11
Name: (portscan) UDP Portsweep
Priority: n/a
Type: n/a
IP Info: 192.168.1.64:n/a -> 69.12.88.203:n/a
Refs:

I'm also seeing double decoding attacks.
Often UPD and TCP Port Sweeps accompany the communication administratively prohibited messages, when this happens Counter Strike Source/Steam times out constantly, leaving the lights on my router blinking as though information was being sent and received. This renders the game nearly unplayable. Is this a result of the port sweeps or is the communication deliberately being prevented?

In another post I have read that these types of attacks are "reserved for use by U.S. military agencies, and aren't supposed to be used by the general public" Can someone verify this.

In the past I have picked up port scans conducted by government agencies on my equipment, they never replied to my e-mails when I inquired about their intrusions, now it seems they are continuing their activities while hiding their identities.
When I was in college I wrote a web site about project paper clip and mind control for a homework assignment, I guess that makes me a criminal or a terror suspect. My privacy seems to be of no consequence.
I pay for internet service, I would at least like to be able to play a game every now and then.


Below is the post I have found about the ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited message which I referenced.

http://www.snort.org/archive-1-662.html

Posted by chris on May 27, 2005 15:59:17

HI the message you are seeing may arise from a number of reasons, but here is one explanation
"Communication Administratively Prohibited This error message means that the destination system is configured to reject datagrams from the sending system. This error is generally used when firewall restrictions or other security measures are filtering datagrams based on some sort of criteria. This message effectively says, "The destination may be up and running, but it will not get the datagrams that you're sending. Stop sending them."

"Some firewalls are configured not to issue the Communication Administratively Prohibited messages, since such messages may be considered a security risk in their own right. Telling an attacker which hosts are being protected is not necessarily a good idea; sometimes saying nothing is the most secure option.

RFC 1122 also defines "Communication With Destination Network Administratively Prohibited" (code 9) and "Communication With Destination Host Administratively Prohibited" (code 10). However, these messages are reserved for use by U.S. military agencies, and aren't supposed to be used by the general public"
Thats the networking specifications for the message you are seeing, as to whether that is something that you need to be concerned about, well that depends on your network really. but I would say probably it's nothing much to worry about.
Cheers
Chris

Posted by LeonW on April 27, 2008 07:12:47

Well I cant comment on the mind control stuff, but...

Take a look at RFC 792, you will find a list of ICMP types and codes.

This is what Snort is alerting to the presence of.


site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.