Re: An ICMP Type 3 Signature

["Stephen P. Berry" <spb () MESHUGGENEH NET>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Donald McLachlan writes:

> > There's a simpler and better indicator:  check to see if the source
> > of the ICMP packet is between the destination of the ICMP packet and
> > the `unreachable' host.  If this isn't the case, it's a pretty good
> > bet that the actual origin of the original traffic is behind the ICMP
> > source.

> Spoof at host A (but we don't know the host's true address).
> Sends packets via router B.
> To unreachable address C.
> Spoofing Address D (which is where the ICMP unreachable address gets sent.
>       A - B - (Big Internet Cloud) - C
>                       |
>                       D
> If I understand you correctly you are saying to check if D is between
> B and C.  That makes no sense to me so I must be misunderstanding you.
> Can you please elaborate how your method can determine that the spoofer is
> behind router B (at A)?  (which is what my method does)

I'm not suggesting that what I describe determines if D is between B
and C (in your diagram);  that, as you note, doesn't make much sense.

If you check to see if the source of the ICMP packet (B) is between
the destination of the ICMP packet (D) and the `unreachable' host (C),
and it isn't, then it's a good bet that the spoofing host is behind
the ICMP source (B).

Actual techniques for network mapping (even the blazingly obvious and
inelegant one offered by the ICMP datagram itself) left as an exercise
for the reader.






- -Steve

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE540vNG3kIaxeRZl8RApLcAJ9lav1lrP16Nd/mD0auWFceFgMBMQCeKkOF
XOhWXW7ujAuPgtrXZEht6Js=
=/MHG
-----END PGP SIGNATURE-----