Full Disclosure mailing list archives
Re: Re: ICMP Destination Unreachable Port Unreachable
From: "Darren Bounds" <dbounds () gmail com>
Date: Tue, 15 Aug 2006 18:59:48 -0400
Adriel, I was replying to Dude VanWinkle, who's been chasing down the src/dst port 0 unnecessarily. On 8/15/06, Adriel T. Desautels <simon () snosoft com> wrote:
Darren, I did notice what type of packet it was and I also know what the packet signifies. The issue that I am having is that there has never been any outbound UDP activity to the host that is replying to this network. The payloads of the ICMP packets are a bit weird too, containing either X'es or |'s or encoded strings. What I am trying to figure out is if anyone here recognizes these types of payloads and knows what could be generating them? so just to be clear... I want info about the payload not about ICMP! Darren Bounds wrote: > Dude, > > In case you've failed to notice, this is an ICMP port unreachable > message. > It's sent in response to a UDP packet destined for an unavailable UDP > port. > The port '0' referenced in the event source/destination is meaningless as > ICMP doesn't use source and destination ports (it is always '0'). > > The payload of the ICMP unreachable message contains original IP > header (of > the initial UDP packet) and at least 64 bits (8 bytes) of original data > datagram. The size of data echoed will vary depending on the > implementation. > > > > > On 8/15/06, Dude VanWinkle <dudevanwinkle () gmail com> wrote: >> >> On 8/15/06, Julio Cesar Fort <julio () rfdslabs com br> wrote: >> > Dude VanWinkle, >> > >> > > <snip> >> > > ----------------------------- >> > > Looks to me like they are using port 0. >> > > http://www.grc.com/port_0.htm >> > > -JP >> > >> > *NEVER TRUST* Steve Gibson. I bet he smokes crack. See >> > http://attrition.org/errata/charlatan.html#gibson for more details. >> >> >> thanks for the tip! >> >> Still, I cant seem to help but think there is something to this port 0 >> thingy >> >> http://www.networkpenetration.com/port0.html >> >> <snip> >> >> 3. Port 0 OS Fingerprinting >> --------------------------- >> As port 0 is reserverd for special use as stated in RFC 1700. Coupled >> with the fact that this port number is reassigned by the OS, no >> traffic should flow over the internet using this port. As the >> specifics are not clear different OS's have differnet ways of handling >> traffic using port 0 thus they can be fingerprinted. >> >> -------------------------------------------- >> >> I guess that is just a reaction to traffic and not actual traffic via >> port 0, but still nifty info >> >> -JP >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- Regards, Adriel T. Desautels SNOsoft Research Team Office: 617-924-4510 || Mobile : 857-636-8882 ---------------------------------------------- Vulnerability Research and Exploit Development BullGuard Anti-virus has scanned this e-mail and found it clean. Try BullGuard for free: www.bullguard.com
-- Thank you, Darren Bounds
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 15)
- Re: ICMP Destination Unreachable Port Unreachable Dude VanWinkle (Aug 15)
- <Possible follow-ups>
- Re: ICMP Destination Unreachable Port Unreachable Richard Bejtlich (Aug 15)
- Re: ICMP Destination Unreachable Port Unreachable Peter Dawson (Aug 15)
- Re: ICMP Destination Unreachable Port Unreachable Julio Cesar Fort (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Dude VanWinkle (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Robert Kim Wireless Internet Advisor (Aug 16)
- Re: Re: ICMP Destination Unreachable Port Unreachable Darren Bounds (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Darren Bounds (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Dude VanWinkle (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Dude VanWinkle (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Darren Bounds (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Scott Renna (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Valdis . Kletnieks (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Valdis . Kletnieks (Aug 15)
- Re: Re: ICMP Destination Unreachable Port Unreachable Barrie Dempster (Aug 16)
- Re: Re: ICMP Destination Unreachable Port Unreachable Valdis . Kletnieks (Aug 16)