Security Incidents mailing list archives

RE: ICMP Parameter Problem packets to random addresses

From: "Ofir Arkin" <ofir () sys-security com>
Date: Tue, 19 Jun 2001 20:04:21 -0700

Russell,

This can also be a chain reaction for a decoy scan attempt using IPs from
your network, when scanning the target 194.42.253.254

Eliciting an ICMP Parameter Problem from the targeted host is not so
trivial.
I have written about this in my research paper "ICMP Usage In Scanning" that
can be downloaded from:

http://www.sys-security.com/archive/papers/ICMP_Scanning_v3.0.zip
The file size is ~ 1.75mb when zipped

http://www.sys-security.com/archive/papers/ICMP_Scanning_v3.0.pdf
The file size is ~ 5.39mb.

If you have the entire packet dump you can look and see what is the
offending packet that caused the error. It's IP header and at least 8 bytes
from the packet that caused the error should be echoed with the ICMP Error
message. If not - This is forged.

I would guess it will be the same packet or forged.

If this is just forged ICMP Parameter Problem error messages for Denial of
Service than the offending packet echoed inside the ICMP error message might
not have a field inside the IP header that actually cause the error.

Cheers Mate

Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA



-----Original Message-----
From: r.fulton () auckland ac nz [mailto:r.fulton () auckland ac nz]
Sent: Monday, June 18, 2001 5:22 PM
To: incidents () securityfocus com
Subject: ICMP Parameter Problem packets to random addresses


Greetings All
                Periodically, over the last few months, I have been
seeing bursts of ICMP Parameter Problem (type 12, code 0) like those
below that were picked up by snort today:

Jun 19 10:01:34 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.186.122
Jun 19 10:02:50 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.14.27
Jun 19 10:05:40 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.74.94
Jun 19 10:07:38 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.96.37
Jun 19 10:08:58 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.132.107
Jun 19 10:11:26 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.164.3
Jun 19 10:22:24 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.138.66
Jun 19 10:23:08 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.140.43
Jun 19 10:23:52 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.145.97
Jun 19 10:32:34 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.114.1
Jun 19 10:50:47 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.187.73
Jun 19 11:01:19 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.194.11
Jun 19 11:14:26 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.62.75
Jun 19 11:16:22 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.211.108
Jun 19 11:25:06 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.232.56
Jun 19 11:26:42 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.178.94
Jun 19 11:43:36 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.194.12
Jun 19 11:44:24 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.234.34
Jun 19 11:52:17 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.119.15
Jun 19 11:54:53 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.162.31
Jun 19 11:59:44 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.78.101
Jun 19 12:01:27 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.130.7

The destination addresses appear to be random addresses in our /16
address space.  The burst last for varying lengths of time (anything
from a few hours to a few days).

I have been assuming that this traffic is a fall out from a DoS
lauched against 194.42.253.254 (or some host behind it if it is a
router).  One thing that might cause this is ICMP packets that set
random values to type and code fields in a flood attack.  I seem to
remember that one of the common DoS Tools does just that.

Any other thoughts?

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

Current thread:

ICMP Parameter Problem packets to random addresses Russell Fulton (Jun 18)
- RE: ICMP Parameter Problem packets to random addresses Fernando Cardoso (Jun 19)
- RE: ICMP Parameter Problem packets to random addresses Ofir Arkin (Jun 19)
  - Re: RE: ICMP Parameter Problem packets to random addresses Russell Fulton (Jun 19)
  - Re: ICMP Parameter Problem packets to random addresses Jeff Kell (Jun 19)
    - Re: ICMP Parameter Problem packets to random addresses Tim Winders (Jun 20)