Security Incidents mailing list archives
Re: An ICMP Type 3 Signature
From: "Stephen P. Berry" <spb () MESHUGGENEH NET>
Date: Mon, 9 Oct 2000 12:53:09 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <200010051350.JAA09245 () obelix dgrc crc ca>, Donald McLachlan writes:
As you say the ICMP message includes the IP header of the packet which could not be delivered. 3) Look at the IP header of the included packet. If the TTL is close to (within 1 or 2 of) one of the default initial TTLs (255, 128, 64, 32) you can be pretty sure that the host spoofing your addresses is behind that border router.
There's a simpler and better indicator: check to see if the source of the ICMP packet is between the destination of the ICMP packet and the `unreachable' host. If this isn't the case, it's a pretty good bet that the actual origin of the original traffic is behind the ICMP source.
P.S. Now that I've said how we can detect them, I bet they modify the stimulus packets. :-(
It seems unlikely. There are much more brittle testing criteria which are much better documented and widely used---i.e., snort signature collections. Although most of these (signatures in general, not snort's in particular) are fairly trivially defeatable, the tools don't seem to mutate very frequently[0]. - -Steve - ----- 0 Compared to, for example, virii. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE54iIOG3kIaxeRZl8RAk7mAKD8E5l+l9guuRORYSPVbfLZDb9c8wCfT2ud H5f0eBUle0tCU0fvpHs4RKk= =yO58 -----END PGP SIGNATURE-----
Current thread:
- An ICMP Type 3 Signature Stephen P. Berry (Oct 04)
- Re: An ICMP Type 3 Signature Russell Fulton (Oct 10)
- Re: An ICMP Type 3 Signature Steffen Dettmer (Oct 11)
- <Possible follow-ups>
- Re: An ICMP Type 3 Signature Donald McLachlan (Oct 05)
- Re: An ICMP Type 3 Signature Stephen P. Berry (Oct 10)
- Re: An ICMP Type 3 Signature Donald McLachlan (Oct 10)
- Re: An ICMP Type 3 Signature Stephen P. Berry (Oct 11)
- Re: An ICMP Type 3 Signature Jay Random (Oct 11)
- Re: An ICMP Type 3 Signature George Bakos (Oct 13)
- Re: An ICMP Type 3 Signature Jay Random (Oct 17)
- Re: An ICMP Type 3 Signature George Bakos (Oct 19)