Bugtraq mailing list archives
ICMP unreachables
From: WIDNERM () hsdwl utc com (MICHAEL R. WIDNER)
Date: 28 Apr 1994 11:09:40 -0400 (EDT)
Earlier, cc wrote:
% I believe that a majority of the packets "nuking" connections out there are % not perfect fakes; they are distinguishable from the real thing.
And how do you spot that which makes them distinguishable from the real thing?
Not sure, i've never done anything on the topic. I believe that the widely-distributed nuke.c program's packets (hope I don't over-simplify this) are FROM the "nuker", but say that the HOST is unreach. So basically I believe that newer versions of Cisco software check to see if the ICMP UNREACH is on the same subnet as the host which is unreachable. Something like that; I was in a detailed discussion about it a few months ago but that's all I remember, and that might be a little off.
Not exactly. Nuke (at least the version I have) was written to run under sunos using NIT. It creates fake packets on the raw ethernet level. When the packet reaches the host it is pretty much indistinguishable from a real icmp port unreachable packet. (oh, btw, nuke sends port unreachable, not host, but a change is obviously trivial). I've already seen nuke ported to several other os's, where it uses sockets instead of NIT. In this case your statment is right. Under sockets the packets have the senders address in them, rather than the host that the packet says in unreachable. In any case, the real solution is to have hosts that check both port numbers in the fake icmp packet. As was mentioned in another message, most current systems do this checking, so nuke (and programs like it) don't work very well. However it is easily possible to make guesses at port numbers if you want to sever a particular connection. -Mike Widner <widnerm () hsdwl utc com>
Current thread:
- Re: ICMP nukes? Carl Corey (Apr 28)
- <Possible follow-ups>
- Re: ICMP nukes? Carl Corey (Apr 28)
- Re: ICMP nukes? Oliver Friedrichs (Apr 28)
- ICMP unreachables MICHAEL R. WIDNER (Apr 28)