Security Incidents mailing list archives
Spoofed ICMP "destination unreachable" - DOS?
From: keichman () CAS ORG (Ken Eichman)
Date: Mon, 22 May 2000 16:46:52 -0400
In the past week I've seen at least 3 identical ICMP DOS attacks (?) involving 3 different ISPs. I'm not sure if they're attempted attacks, and if so, against my network or the ISP's. In each incident, random and mostly unassigned IP addresses in our address range are the listed recipients of ICMP type 3 (destination unreachable) packets. The listed source address of the traffic has always been a router at an ISP. We receive these packets for hours at a time at rates varying from a few dozen to hundreds per minute. Not particularly DOS-like -- "rather mild" as one of the ISP network people put it. Each ISP tells me the source address is spoofed. Here is a typical response: "Hello and thank you for notifying xxxxxxx. Unfortunately, we are currently under attack at our IP address 1.2.3.4. The attacker is sending spoofed destination address packets. These packets are bouncing off of our Router at 1.2.3.4, type 3, 'unreachable', to your address as the destination address. We have heard from approximately 50 others regarding this same incident." Here's a representative snoop of one of the packets - everything is actual info except for the addresses. 111.111.11.11 is the ISP's router, assumedly spoofed, and 222.222.222.2 is a local address. ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 1 arrived at 23:00:6.18 ETHER: Packet size = 70 bytes ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 56 bytes IP: Identification = 0 IP: Flags = 0x0 IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 251 seconds/hops IP: Protocol = 1 (ICMP) IP: Header checksum = 9ab2 IP: Source address = 111.111.11.111, 111.111.11.111 IP: Destination address = 222.222.222.2, 222.222.222.2 IP: No options IP: ICMP: ----- ICMP Header ----- ICMP: ICMP: Type = 3 (Destination unreachable) ICMP: Code = 1 (Bad host) ICMP: Checksum = ceee ICMP: ICMP: [ subject header follows ] ICMP: ICMP:IP: ----- IP Header ----- ICMP:IP: ICMP:IP: Version = 4 ICMP:IP: Header length = 20 bytes ICMP:IP: Type of service = 0x00 ICMP:IP: xxx. .... = 0 (precedence) ICMP:IP: ...0 .... = normal delay ICMP:IP: .... 0... = normal throughput ICMP:IP: .... .0.. = normal reliability ICMP:IP: Total length = 40 bytes ICMP:IP: Identification = 4014 ICMP:IP: Flags = 0x0 ICMP:IP: .0.. .... = may fragment ICMP:IP: ..0. .... = last fragment ICMP:IP: Fragment offset = 0 bytes ICMP:IP: Time to live = 26 seconds/hops ICMP:IP: Protocol = 6 (TCP) ICMP:IP: Header checksum = 3aef ICMP:IP: Source address = 222.222.222.2, 222.222.222.2 ICMP:IP: Destination address = 333.333.33.333, 333.333.33.333 ICMP:IP: No options ICMP:IP: IP: My questions: Is this a DOS? Against our network? Against the ISP? If it isn't a DOS, what's the point? Is the address 333.333.33.333 in the snoop capture also spoofed or could it possibly indicate the actual source? Thanks Ken ps. Two of the ISPs are well-known, one was involved in a recent security incident; demon.net isn't one of them.
Current thread:
- Spoofed ICMP "destination unreachable" - DOS? Ken Eichman (May 22)
- Microsoft version.binding us now? Bill Marquette (May 26)
- New DoS attack Jeff Calvert (May 28)
- Re: Microsoft version.binding us now? Erich Meier (May 29)
- Re: Spoofed ICMP Richard Bejtlich (May 27)
- Re: Spoofed ICMP "destination unreachable" - DOS? Steve Reid (May 27)
- <Possible follow-ups>
- Re: Spoofed ICMP "destination unreachable" - DOS? Aussie (May 24)
- ICMP attack in progress? Lic. Rodolfo Gonzalez Gonzalez (May 25)
- Re: ICMP attack in progress? Crist J. Clark (May 25)
- Re: ICMP attack in progress? Jason Storm (May 26)
- afs3 exploit?? elijah wright (May 25)
- ICMP attack in progress? Lic. Rodolfo Gonzalez Gonzalez (May 25)
(Thread continues...)
- Microsoft version.binding us now? Bill Marquette (May 26)