Re: An ICMP Type 3 Signature

["Stephen P. Berry" <spb () MESHUGGENEH NET>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


In message <200010051350.JAA09245 () obelix dgrc crc ca>, Donald McLachlan writes:

> As you say the ICMP message includes the IP header of the packet which could
> not be delivered.
> 3) Look at the IP header of the included packet.  If the TTL is close to
>   (within 1 or 2 of) one of the default initial TTLs (255, 128, 64, 32)
>   you can be pretty sure that the host spoofing your addresses is behind
>   that border router.

There's a simpler and better indicator:  check to see if the source
of the ICMP packet is between the destination of the ICMP packet and
the `unreachable' host.  If this isn't the case, it's a pretty good
bet that the actual origin of the original traffic is behind the ICMP source.


> P.S.  Now that I've said how we can detect them, I bet they modify the
>      stimulus packets.  :-(

It seems unlikely.  There are much more brittle testing criteria which
are much better documented and widely used---i.e., snort signature
collections.  Although most of these (signatures in general, not snort's
in particular) are fairly trivially defeatable, the tools don't seem
to mutate very frequently[0].






- -Steve

- -----
0     Compared to, for example, virii.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE54iIOG3kIaxeRZl8RAk7mAKD8E5l+l9guuRORYSPVbfLZDb9c8wCfT2ud
H5f0eBUle0tCU0fvpHs4RKk=
=yO58
-----END PGP SIGNATURE-----