On Tue, May 11, 2010 at 09:33:36AM -0500, Caldarale, Charles R wrote: > > From: James R. Marcus [mailto:jmar...@edhance.com] > > Subject: snort detecting ICMP traffic, tomcat? > > > > Could Tomcat be generating ICMP traffic to an IP accessing the server? > > No. Java is not capable of generating ICMP messages.
That's not what ICMP Unreachable means. It's a response from the
target host to a connection attempt by the requesting host which could
or should not be accepted. It should be sent by the host's network
stack, not anything in userspace, but it can be triggered by any
program which requests a connection that is refused. Java certainly
can evoke one of these, even if it can't send them.
In this case (Host Administratively Prohibited), 121d59.pitzer.edu is
saying, "I refuse to talk to you on any port." I have no idea what is
requesting a connection to that host, or why. It sounds like
someone's workstation ("121d59") is configured to refuse traffic from
internal-only (10/8) addresses.
It might be helpful to start up a packet monitor and sample the
attempts, to see what port(s) are being requested.
I find it interesting that there are two PTR records in DNS for that
address, and the other one is to "jk-dc96425b8e." That's not the sort
of name you expect from DNS. You might want to report that to someone
at Pitzer College. A 'whois' query for pitzer.edu returns nothing, too.
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Balance your desire for bells and whistles with the reality that only a
little more than 2 percent of world population has broadband.
-- Ledford and Tyler, _Google Analytics 2.0_
pgpEM2NlwfWjQ.pgp
Description: PGP signature
