Security Incidents mailing list archives
Re: ICMP time exceed in-transit packets
From: paul () MOQUIJO COM (Paul Cardon)
Date: Sun, 2 Jan 2000 16:38:02 -0500
Dave Dittrich wrote:
OK. So you have a bunch of packets, which are hard to trace, look like they are coming from all over the Internet, get successfully delivered to the target you intend, and has embedded in it at most 64 bytes of the original, purposely messed up packet.
First problem is that the intended target is a network address of the form x.x.x.0. I have been seeing this hitting a class B that where the third octet is being selected randomly and covered nearly the full range of Class C subnets. Many of these are not even in use (nice, efficient use of address space, I know). Most of the devices returning the ICMP time exceeded do appear to be routers. Second problem is that the contents are 64 bits, not bytes. If Chris had said 8 bytes, it would have been clearer to most people upon first read. These ICMP time exceeded messages consist of: 1 byte type: 11 1 byte code: 0 (for TTL equals 0 during transit) 2 byte checksum 4 byte unused: must be 0 original IP header (including options) 8 bytes of original IP datagram In my case, the original IP datagram is an ICMP echo request of which I see only the required fields (type, code, checksum, identifier, sequence number). The identifier and sequence number are both set to 0. In other words, if there is optional data in the original echo request, we don't see it. Looking at the original IP header, the header length is 20 bytes and the total length is 92 bytes. Subtracting for the ICMP message header, this means that there is potentially 92 - 20 - 8 = 64 bytes in the optional data portion of the original ICMP echo request. What it is we can't know without seeing the original packet. -paul
Current thread:
- Re: port 1150 and 4833 ?, (continued)
- Re: port 1150 and 4833 ? Frameloss, Frameloss (Jan 10)
- Re: port 119 R a v e N (Jan 05)
- Re: port 119 Scott Laws (Jan 04)
- Writeup: it. TLD going astray Arrigo Triulzi (Jan 03)
- Computer Forsenics System Administrator (Jan 03)
- Re: Computer Forsenics-> www.fish.com/forensics mike (Jan 03)
- traceroute ICMP packets Laszlo Fabian (Jan 04)
- Re: traceroute ICMP packets M J (Jan 04)
- Re: traceroute ICMP packets Larry Canup (Jan 18)
- Re: ICMP time exceed in-transit packets Paul Cardon (Jan 02)
- Re: Port Scan on 371... Etaoin Shrdlu (Jan 02)
- Re: Port Scan on 371... Christopher Wilson (Jan 02)
- correlation between porscans and local activity Thomas Molina (Jan 02)
- Re: correlation between porscans and local activity Sean Sosik-Hamor (Jan 03)
- ADMROCKS McNab, Chris (Jan 03)
- R: correlation between porscans and local activity Raistlin (Jan 04)
- Re: R: correlation between porscans and local activity Michael Babcock (Jan 12)