Security Incidents mailing list archives
Re: ICMP timex to X.Y.Z.0
From: don () MAINFRAME DGRC CRC CA (Donald McLachlan)
Date: Sun, 2 Jan 2000 15:13:17 -0500
Hi Dave, Not too unlike what I proposed to someone this AM. Covert channel tunnelled through ICMP. Actually they should have very few bytes in them. A properly formed ICMP timex packet is 0x38 bytes. I've been concentrating on the unreachable messages to X.Y.Z.0 (assuming they came from a router closer to the spoofer). They too should be 0x38 bytes. But I've seen several of 0x66 bytes, some as large as 0x8c bytes. I don't think these were sent by a router. Maybe by a host faking being a router. Currently I think these may be the key. Don
Current thread:
- Re: ICMP timex to X.Y.Z.0 Donald McLachlan (Jan 02)