Bugtraq mailing list archives
TOS bits (=field) Echoing with ICMP Error Messages
From: Ofir Arkin <ofir () ITCON-LTD COM>
Date: Fri, 20 Oct 2000 13:26:16 +0200
RFC 1394 specify that an ICMP error message is always sent with the default TOS field value of 0000 (TOS field=TOS bits in the TOS Byte). When an offending packet with a TOS field value of 0000 is eliciting an ICMP error message from an offended host, the TOS field value with all the operating systems I have checked will be set to 0000. If we will pay attention to the TOS Byte we will see that LINUX and several routers will use the value of 0xc0 for the precedence field. What will happen if the TOS field with the offending packet will be set to a value different than the default (0000)? We will have several operating systems that will echo the TOS field back with the ICMP error message. Our first example is with an AIX 4.3 machine, where a UDP datagram is sent with a TOS field value of 0x10 hex: 12:33:17.319275 ppp0 > x.x.x.x.2160 > y.y.y.y.0: udp 0 [tos 0x10] (ttl 64, id 47349) 4510 001c b8f5 0000 4011 9bea xxxx xxxx yyyy yyyy 0870 0000 0008 d18c 12:33:17.614823 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 0 unreachable Offending pkt: x.x.x.x.2160 > y.y.y.y.0: udp 0 [tos 0x10] (ttl 49, id 47349, bad cksum aaea!) [tos 0x10] (ttl 241, id 17965) 4510 0038 462d 0000 f101 5da6 yyyy yyyy xxxx xxxx 0303 f470 0000 0000 4510 0030 b8f5 0000 3111 aaea xxxx xxxx yyyy yyyy 0870 0000 0008 0000 As it can be seen from the trace, the TOS field value was echoed back by the AIX machine. This was tested against AIX 4.1, 4.2.1, 4.3, 4.3 fix pack2. The next example is with DGUX 5.6: 12:58:57.663517 ppp0 > x.x.x.x.1074 > y.y.y.y.11: udp 0 [tos 0x8] (ttl 64, id 47314) 4508 001c b8d2 0000 4011 a037 xxxx xxxx yyyy yyyy 0432 000b 0008 d9e1 12:58:57.984820 ppp0 < 134.210.1.200 > x.x.x.x.: icmp: y.y.y.y.200 udp port 11 unreachable Offending pkt: x.x.x.x.1074 > y.y.y.y.11: udp 0 [tos 0x8] (ttl 52, id 47314) [tos 0x8] (ttl 52, id 16984) 4508 0038 4258 0000 3401 22a6 yyyy yyyy d508 c41c 0303 f8b7 0000 0000 4508 001c b8d2 0000 3411 ac37 xxxx xxxx yyyy yyyy 0432 000b 0008 0000 How can we differentiate between DGUX and AIX? If we will pay attention to the echoing integrity. AIX 4.x sets the IP total length field value, with the echoed offending IP Header, to a value 20 bytes higher than the original. DGUX quote this field value correctly. The last operating system, which I have found echoing the TOS field value with its ICMP error messages, is LINUX operating systems based on Kernel 2.2.x & 2.4 (the versions of the Kernel that I have tested): 00:50:43.759906 ppp0 > x.x.x.x.1952 > y.y.y.y.0: udp 0 [tos 0x10] (ttl 64, id 15952) 4510 001c 3e50 0000 4011 e6b2 xxxx xxxx yyyy yyyy 07a0 0000 0008 a27f 00:50:44.154556 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y.211 udp port 0 unreachable Offending pkt: x.x.x.x.1952 > y.y.y.y.0: udp 0 [tos 0x10] (ttl 47, id 15952) [tos 0xd0] (ttl 238, id 54662) 45d0 0038 d586 0000 ee01 a0af yyyy yyyy xxxx xxxx 0303 52d5 0000 0000 4510 001c 3e50 0000 2f11 f7b2 xxxx xxxx yyyy yyyy 07a0 0000 0008 a27f Another unique pattern with LINUX is setting the Precedence field value to 0xc0 with ICMP error messages. This helps us to differentiate LINUX from the other operating systems that echo the TOS field value. While LINUX embraced RFC 1812 instructions for routers regarding the TOS and Precedence fields, the other operating systems that echo the TOS field value don’t seem to have a good excuse for doing so. Ofir Arkin [ofir () itcon-ltd com] Senior Security Analyst Chief of Grey Hats ITcon, Israel. http://www.itcon-ltd.com Personal Web page: http://www.sys-security.com "Opinions expressed do not necessarily represent the views of my employer."
Current thread:
- TOS bits (=field) Echoing with ICMP Error Messages Ofir Arkin (Oct 24)