Bugtraq mailing list archives
DF Bit Echoing with ICMP
From: Ofir Arkin <ofir () ITCON-LTD COM>
Date: Mon, 21 Aug 2000 01:55:55 +0200
Some operating systems, when receiving an ICMP Query message with the DF bit set, would set the DF bit with their replies as well. Sometimes it would be in contrast with their regular behavior, which would be not setting the DF Bit in their replies for a regular query that comes with the DF bit not set. A. DF Bit Echoing with the ICMP Echo request The snort trace below illustrates an ICMP Echo request sent from a Linux box, using nemesis, to a Sun Solaris 2.7 machine: [root@aik /root]# nemesis-icmp -i 8 x.x.x.x 08/10-15:24:21.625260 10.0.0.105 -> x.x.x.x ICMP TTL:64 TOS:0x0 ID:13670 DF ID:62979 Seq:0 ECHO 08/10-15:24:22.623507 10.0.0.105 -> x.x.x.x ICMP TTL:64 TOS:0x0 ID:43567 DF ID:62979 Seq:256 ECHO 08/10-15:24:23.318173 x.x.x.x -> 10.0.0.105 ICMP TTL:239 TOS:0x0 ID:221 DF ID:62979 Seq:0 ECHO REPLY 08 8C 02 85 1C 2A 7F 32 AB 14 6C 79 F5 2E 53 84 .....*.2..ly..S. AF 15 .. 08/10-15:24:23.555488 x.x.x.x -> 10.0.0.105 ICMP TTL:239 TOS:0x0 ID:222 DF ID:62979 Seq:256 ECHO REPLY BE 13 02 8F 90 8F 15 93 94 93 04 97 98 97 16 9B ................ 9C 9B .. Most of the operating systems that I have checked this behavior against did the same thing. In the reply they produced, the DF bit was set. Which operating systems are the exceptional and do not echo back the DF bit? Linux Kernel 2.2.x, Linux Kernel 2.4 with the various test kernels, Ultrix v4.2 – 4.5, and Novell Netware. How can we distinguish between those operating systems? Frankly it is quite simple. Since LINUX and Ultrix are using a TTL field value of 255 in their ICMP Query replies, and Novell Netware uses 128, it is easy to distinguish between those groups. B. DF Bit Echoing with the ICMP Address Mask request With ICMP Address Mask requests we have a different story. Among the operating systems that I have checked that answer for an ICMP Address Mask request Sun Solaris & OpenVMS echo back the DF bit. Microsoft Windows 98, Microsoft Windows 98 SE, and Ultrix do not echo back the DF bit. Again it is very simple to distinguish between the Microsoft Windows 98 family and between the Ultrix machines. Since the Microsoft Windows 98 family is using 128 as their TTL field value in their ICMP query replies and Ultrix uses 255, we can distinguish between those operating systems. We have here a simple method to distinguish between Microsoft Windows 98 / 98 SE, and Ultrix machines to the rest of the operating systems world. Another interesting piece of information is that the Microsoft Windows 98 family changed its behavior from DF echoing with the ICMP Echo request to not echoing with the ICMP Address Mask request. This inconsistency is a factor with all Microsoft operating systems (Echoing with ICMP Echo request, not echoing with the other types of ICMP query). C. DF Bit Echoing with the ICMP Timestamp request Since a lot more operating systems answer for an ICMP Timsestamp request than with the ICMP Address Mask request, we have a bit more difficulty in identifing those. Linux with Kernel 2.2.x, Linux with Kernel 2.4, Ultrix, Microsoft Windows 98/98SE/ME, and the Microsoft Windows 2000 Family would not echo back the DF bit with ICMP Timestamp replies they produce for ICMP Timestamp request that sets their DF bit. Here we can only distinguish between certain groups of operating systems; again it would be according to their TTL field value with their replies. Linux would use 255 as its TTL field value for the ICMP Timestamp reply; Ultrix would use the same value. The Microsoft family of operating systems that would answer for this kind of query would use 128 as their TTL value. Again we have Linux and Ultrix on the one hand and the Microsoft Family on the other hand. How can we further distinguish between those? D. Using all of the Information in order to identify maximum of operating systems We can group Linux and Ultrix with the ICMP Echo requests. We can do the same with Microsoft Windows 98 / 98 SE & Ultrix using the ICMP Address Mask requests. This would allow us to pinpoint the Linux boxes from the first stage. So when we would go into the third stage we would know which operating systems are Linux based, which are Microsoft Windows 98 / 98 SE based, and which are Ultrix based. This would leave us with Microsoft Windows ME and with the Microsoft Windows 2000 family machines. E. Why this would work (for the skeptical) All those skeptical would say that if they receive an ICMP Query request with the DF bit set than it should be clear that something is wrong and someone is probably trying to scan them. Think again. What would happen if a Solaris box would query your box? Than the same behavior would be produced since Sun Solaris, OpenBSD and HPUX all set their DF bit with the requests they produce. This is an ICMP Echo request sent from a Solaris 2.6 box to a Linux box. We can see that the DF bit is set with the request and not set with the reply. But again if some one would mimic this behavior with a tool used on a Linux box to query the world, which is 100% mimicking Solaris than we would never know if this is a legit request or an attempt for scanning / fingerprinting. Initializing Network Interface... Decoding raw data on interface ppp0 -*> Snort! <*- Version 1.6 By Martin Roesch (roesch () clark net, www.clark.net/~roesch) 08/10-23:32:52.201612 y.y.y.y -> 139.92.207.58 ICMP TTL:239 TOS:0x0 ID:48656 DF ID:2080 Seq:0 ECHO 39 93 10 A3 00 03 F0 E5 08 09 0A 0B 0C 0D 0E 0F 9............... 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................ 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./ 30 31 32 33 34 35 36 37 01234567 08/10-23:32:52.201649 139.92.207.58 -> y.y.y.y ICMP TTL:255 TOS:0x0 ID:349 ID:2080 Seq:0 ECHO REPLY 39 93 10 A3 00 03 F0 E5 08 09 0A 0B 0C 0D 0E 0F 9............... 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................ 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./ 30 31 32 33 34 35 36 37 01234567 Operating systems that I have checked are: Linux Kernel 2.4 test 2,4,5,6; Linux Kernel 2.2.x; FreeBSD 4.0, 3.4; OpenBSD 2.7,2.6; NetBSD 1.4.1,1.4.2; BSDI BSD/OS 4.0,3.1; Solaris 2.6,2.7,2.8; HP-UX 11.0; Compaq Tru64 5.0; Aix 4.1,3.2; Irix 6.5.3, 6.5.8; Ultrix 4.2 – 4.5; OpenVMS v7.1-2; Novel Netware 5.1 SP1, 5.0, 3.12; Microsoft Windows 98/98SE/ME, Microsoft Windows NT WRKS SP6a, Microsoft Windows NT Server SP4, Microsoft Windows 2000 Family. Ofir Arkin [ofir () itcon-ltd com] Senior Security Analyst ITcon, Israel. http://www.itcon-ltd.com Personal Web page: http://www.sys-security.com "Opinions expressed do not necessarily represent the views of my employer."
Current thread:
- DF Bit Echoing with ICMP Ofir Arkin (Aug 21)