Re: ICMP timex to X.Y.Z.0

[don () MAINFRAME DGRC CRC CA (Donald McLachlan)]

Hi Dave,

Not too unlike what I proposed to someone this AM.  Covert channel tunnelled
through ICMP.

Actually they should have very few bytes in them.  A properly formed ICMP timex
packet is 0x38 bytes.  I've been concentrating on the unreachable messages to
X.Y.Z.0 (assuming they came from a router closer to the spoofer).  They too should
be 0x38 bytes.  But I've seen several of 0x66 bytes, some as large as 0x8c bytes.

I don't think these were sent by a router.  Maybe by a host faking being a router.

Currently I think these may be the key.

Don