Security Incidents mailing list archives
Re: An ICMP Type 3 Signature
From: Donald McLachlan <don () MAINFRAME DGRC CRC CA>
Date: Tue, 10 Oct 2000 08:20:02 -0400
From spb () meshuggeneh net Mon Oct 9 15:53 EDT 2000 To: Donald McLachlan <don () mainframe dgrc crc ca> In message <200010051350.JAA09245 () obelix dgrc crc ca>, Donald McLachlan writes:As you say the ICMP message includes the IP header of the packet which could not be delivered. 3) Look at the IP header of the included packet. If the TTL is close to (within 1 or 2 of) one of the default initial TTLs (255, 128, 64, 32) you can be pretty sure that the host spoofing your addresses is behind that border router.There's a simpler and better indicator: check to see if the source of the ICMP packet is between the destination of the ICMP packet and the `unreachable' host. If this isn't the case, it's a pretty good bet that the actual origin of the original traffic is behind the ICMP source.
Spoof at host A (but we don't know the host's true address). Sends packets via router B. To unreachable address C. Spoofing Address D (which is where the ICMP unreachable address gets sent. A - B - (Big Internet Cloud) - C | D If I understand you correctly you are saying to check if D is between B and C. That makes no sense to me so I must be misunderstanding you. Can you please elaborate how your method can determine that the spoofer is behind router B (at A)? (which is what my method does)
Current thread:
- An ICMP Type 3 Signature Stephen P. Berry (Oct 04)
- Re: An ICMP Type 3 Signature Russell Fulton (Oct 10)
- Re: An ICMP Type 3 Signature Steffen Dettmer (Oct 11)
- <Possible follow-ups>
- Re: An ICMP Type 3 Signature Donald McLachlan (Oct 05)
- Re: An ICMP Type 3 Signature Stephen P. Berry (Oct 10)
- Re: An ICMP Type 3 Signature Donald McLachlan (Oct 10)
- Re: An ICMP Type 3 Signature Stephen P. Berry (Oct 11)
- Re: An ICMP Type 3 Signature Jay Random (Oct 11)
- Re: An ICMP Type 3 Signature George Bakos (Oct 13)
- Re: An ICMP Type 3 Signature Jay Random (Oct 17)
- Re: An ICMP Type 3 Signature George Bakos (Oct 19)