Security Incidents mailing list archives
Re: An ICMP Type 3 Signature
From: Jay Random <scarbaci () YAHOO COM>
Date: Tue, 17 Oct 2000 15:14:30 -0000
That's all well and good, except no packets have
come back from
the target host, merely from backbone routers.
Ofcoarse its comming from the router, few networks put firewalls on the hosts themselves, thus when the packet is denied it is denied by a firewall protecting a network.
Depending on the firewall, "DENY" may or may not
return an
unreachable message. Where they do return a
nastygram, it is,
AFAIK, a port unreachable (type 3, code 3)
rather than a host
unreachable (type 3, code 1).
If the firewall doesnt return an error it is a "Drop" command, where the packet just disappears without a trace. Initially the "DENY" was used for debugging purposes, if you were having problem with connection not getting through, you could set the firewall to deny, and see if it is causing the problem from the presence of the nastygram. The error messages arnt standarded, typically it is host unreachable... 09:30:41.542747 1.atm3-0.umbc-gw.net.ums.edu > XXX: icmp: host resnet2-33.resnet.umbc.edu unreachable - admin prohibited filter 09:55:58.822747 datartn-5.border6.dal.pnap.net > XXX: icmp: host port-64-1950130-zzt0prespect.devices.datareturn.net unreachable - admin prohibited filter 10:01:02.682747 car2-GigabitEthernet1-2.isc.cw.net
XXX: icmp: host coke1.isc.cw.net unreachable -
admin prohibited filter [tos 0x10] 10:07:18.632747 208.55.254.13 > XXX: icmp: host www.indesp.com unreachable - admin prohibited filter [tos 0x10]
I have seen a fair bit of the same traffic and
drilled a little deeper. It I have generated a fair bit of similar traffic.
seems that the target network is certainly
reachable right now. I
... port. In order for this slow port sweep to be
of any use, the
attacker needs to be listening from fairly close
to the target, while
the packets are being lauched (and spoofed) from
various hosts.
This smacks of a distributed scanning tool.
rnmap will do what we
are looking at, with the added twist of a
compromised box sniffing
just upstream of the target.
What made you dismiss the possibility of a decoy scan? Also if he had a compromised sniffing box upstream from the target, why activly portscan and give away your activity, when a passive portscan would be more simple and logical. How would a sniffer add any benifit to the distributed scan? Christopher Gragsone CCSA, MCP Senior Security Engineer, Verizon
Current thread:
- An ICMP Type 3 Signature Stephen P. Berry (Oct 04)
- Re: An ICMP Type 3 Signature Russell Fulton (Oct 10)
- Re: An ICMP Type 3 Signature Steffen Dettmer (Oct 11)
- <Possible follow-ups>
- Re: An ICMP Type 3 Signature Donald McLachlan (Oct 05)
- Re: An ICMP Type 3 Signature Stephen P. Berry (Oct 10)
- Re: An ICMP Type 3 Signature Donald McLachlan (Oct 10)
- Re: An ICMP Type 3 Signature Stephen P. Berry (Oct 11)
- Re: An ICMP Type 3 Signature Jay Random (Oct 11)
- Re: An ICMP Type 3 Signature George Bakos (Oct 13)
- Re: An ICMP Type 3 Signature Jay Random (Oct 17)
- Re: An ICMP Type 3 Signature George Bakos (Oct 19)