Re: Re: ICMP Destination Unreachable Port Unreachable

["Adriel T. Desautels" <simon () snosoft com>]

Darren,
    My responses are below:

Darren Bounds wrote:
> I'm confused about a couple things:
>
> 1) You say you knew the nature of the packet yet in your original message
> you stated "Neither the source IP or the target IP have any ports
> associated
> with them in this event. Any ideas would be appreciated.".
I wasn't very clear was I, my apologies again. I understand that ICMP
packets
have no port per-sae. The ideas that I was interested in were with
regards to
the payload of the packets. In the same email I also mention that I
haven't looked
through this very extensively, I was crammed with other work. ;]
> - The packet you dumped was an ICMP port unreachable. There will never
> be a
> port associated with an ICMP packet.
right.
> - ICMP unreachable messages contain a payload with the IP header of the
> packet generating the error and at least 64 bits (8 bytes) of original
> data
> datagram. There are ports associated with UDP and therefore inspection of
> the embedded UDP packet tells you quite a bit. i.e. It was using ports
> 16229
> and 2597 as source and destination.
Right, someone said the same thing earlier (maybe it was you). I've
taken the l
iberty of blocking "any" traffic going to all of the IP addresses which
are involved
in this particular incident. Likewise I've also blocked "any" traffic
for those IP
addresses going to the affected network. Yet, the traffic keeps coming
to the
affected network.

I did run a sniffer for a while and I saw no traffic leaving the
affected network
headed for the IP addresses in question, yet they continue to send traffic
back to the affected network.

The two IP addresses are in Amsterdam and they are still sending the ICMP
packets with the interesting payloads. I'm wondering if anyone can identify
what generated those payloads. Has anyone seen similar payloads before?

The two offending IP's are:

    81.99.46.113
 and
    82.246.252.214
 
> 2) You * out the first 3 octets of the destination IP address in the
> event
> but leave the IP address in the ICMP payload (70.91.131.49). Why? \
Force of habit. ;]

> -- 
>
> Thanks,
> Darren Bounds
>
> On 8/15/06, Adriel T. Desautels <simon () snosoft com> wrote:
> > Darren,
> >    I did notice what type of packet it was and I also know what the
> > packet signifies. The issue that I am having is that there has never
> > been any outbound UDP activity to the host that is replying to this
> > network. The payloads of the ICMP packets are a bit weird too,
> > containing either X'es or |'s or encoded strings. What I am trying to
> > figure out is if anyone here recognizes these types of payloads and
> > knows what could be generating them?
> >
> > so just to be clear...
> >
> > I want info about the payload not about ICMP!


-- 

Regards, 
    Adriel T. Desautels
    SNOsoft Research Team
    Office: 617-924-4510 || Mobile : 857-636-8882

    ----------------------------------------------
    Vulnerability Research and Exploit Development





BullGuard Anti-virus has scanned this e-mail and found it clean.
Try BullGuard for free: www.bullguard.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/