Bugtraq mailing list archives
LINUX ICMP Error Message Quoting Size Differences (The 20 Bytes from No Where)
From: Ofir Arkin <ofir () sys-security com>
Date: Wed, 6 Dec 2000 16:45:36 +0100
We must understand that there are differences between the different ICMP
Error messages, not only with their meaning, but also with their
implementation. I was expecting that several characters with the ICMP Error
messages will be the same along all of the ICMP Error Messages, but I was
wrong regarding few operating systems.
The most interesting case is with the LINUX operating system based on Kernel
2.2.x and 2.4.t-x.
The next example is with LINUX based on Kernel 2.2.16 as the targeted
machine, eliciting an ICMP Port Unreachable error message:
00:21:30.199408 pop > x.x.x.x.2066 > y.y.y.y.2000: udp 0 (ttl 64, id 1732)
4500 001c 06c4 0000 4011 c895 xxxx xxxx
yyyy yyyy 0812 07d0 0008 4484
00:21:30.493691 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 2000
unreachable Offending pkt: x.x.x.x.2066 > y.y.y.y.2000: udp 0 (ttl 44, id
1732) [tos 0xc0] (ttl 238, id 53804)
45c0 0038 d22c 0000 ee01 4e60 yyyy yyyy
xxxx xxxx 0303 a88e 0000 0000 4500 001c
06c4 0000 2c11 dc95 xxxx xxxx yyyy yyyy
0812 07d0 0008 4484
The quoted data is the entire offending datagram. LINUX ICMP Error messages
will be up to 576 bytes long according to the LINUX source code.
The next example is with LINUX as the targeted operating system. With this
example I have sent a protocol scan with NMAP:
13:14:56.942897 < x.x.x.x > y.y.y.y: ip-proto-38 0 (ttl 39, id 37623)
4500 0014 92f7 0000 2726 02cb xxxx xxxx
yyyy yyyy
13:14:56.942964 > y.y.y.y > x.x.x.x: icmp: y.y.y.y protocol 38 unreachable
Offending pkt: x.x.x.x > y.y.y.y: ip-proto-38 0 (ttl 39, id 37623) [tos
0xc0] (ttl 255, id 1884)
45c0 0044 075c 0000 ff01 b59a yyyy yyyy
xxxx xxxx 0302 fb1a 0000 0000 4500 0014
92f7 0000 2726 02cb xxxx xxxx yyyy yyyy
0050 dc84 ae6f 6910 0000 0000 5004 0000
bd89 0000
LINUX adds to the entire offending packet that was quoted, another 20 bytes.
Since LINUX handles the ICMP Protocol Unreachable Error Messages like the
ICMP Fragment Reassembly Time Exceeded Error Messages we will see the same
pattern with ICMP Fragment Reassembly Time Exceeded:
[root@godfather bin]# hping2 -c 1 -x -y y.y.y.y
ppp0 default routing interface selected (according to /proc)
HPING y.y.y.y ppp0 y.y.y.y): NO FLAGS are set, 40 headers + 0 data bytes
--- y.y.y.y hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@godfather bin]#
The tcpdump trace:
19:49:22.999108 ppp0 > x.x.x.x.cvspserver > y.y.y.y.0: .
1709055398:1709055398(0) win 512 (frag 35247:20@0+) (DF) (ttl 64)
4500 0028 89af 6000 4006 e0ff xxxx xxxx
yyyy yyyy 0961 0000 65de 1da6 6a01 476b
5000 0200 bf71 0000
19:49:53.303196 ppp0 < y.y.y.y > x.x.x.x: icmp: ip reassembly time exceeded
Offending pkt: x.x.x.x.cvspserver > y.y.y.y.0: . 1709055398:1709055398(0)
win 512 (frag 35247:20@0+) (DF) (ttl 45) [tos 0xc0] (ttl 238, id 379)
45c0 0058 017b 0000 ee01 1a49 yyyy yyyy
xxxx xxxx 0b01 3caf 0000 0000 4500 0028
89af 6000 2d06 f3ff xxxx xxxx yyyy yyyy
0961 0000 65de 1da6 6a01 476b 5000 0200
bf71 0000 601d 1f0d 7a04 5045 0100 0000
4146 4345 4a45 4f46
Since LINUX’s ICMP Error messages will not be bigger than 576 bytes long, if
the offending packet will be big enough (not likely in real world situation)
we will not see the added 20 bytes in the ICMP Fragment Reassembly / ICMP
Protocol Unreachable error messages.
This unique pattern will allow us to identify LINUX based machines even if
the Precedence Bits value with the LINUX ICMP Error messages will be changed
to 0x000.
Ofir Arkin
ofir () sys-security com
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
Copyright (c) 2000 Sys-Security.com & Ofir Arkin All rights reserved
Current thread:
- LINUX ICMP Error Message Quoting Size Differences (The 20 Bytes from No Where) Ofir Arkin (Dec 11)