ICMP unreachables

[WIDNERM () hsdwl utc com (MICHAEL R. WIDNER)]

Earlier, cc wrote:
> > % I believe that a majority of the packets "nuking" connections out there are
> > % not perfect fakes; they are distinguishable from the real thing.

> > And how do you spot that which makes them distinguishable from the
> > real thing?

> Not sure, i've never done anything on the topic.  I believe that the
> widely-distributed nuke.c program's packets (hope I don't over-simplify
> this) are FROM the "nuker", but say that the HOST is unreach.  So basically
> I believe that newer versions of Cisco software check to see if the ICMP
> UNREACH is on the same subnet as the host which is unreachable.  Something
> like that; I was in a detailed discussion about it a few months ago but
> that's all I remember, and that might be a little off.

Not exactly.  Nuke (at least the version I have) was written to run
under sunos using NIT.  It creates fake packets on the raw ethernet
level.  When the packet reaches the host it is pretty much
indistinguishable from a real icmp port unreachable packet.  (oh,
btw, nuke sends port unreachable, not host, but a change is obviously
trivial).  I've already seen nuke ported to several other os's, where
it uses sockets instead of NIT.  In this case your statment is right.
Under sockets the packets have the senders address in them, rather
than the host that the packet says in unreachable.

In any case, the real solution is to have hosts that check both port
numbers in the fake icmp packet.  As was mentioned in another message,
most current systems do this checking, so nuke (and programs like it)
don't work very well.  However it is easily possible to make guesses
at port numbers if you want to sever a particular connection.

-Mike Widner
<widnerm () hsdwl utc com>