Security Incidents mailing list archives
Re: An ICMP Type 3 Signature
From: "Stephen P. Berry" <spb () MESHUGGENEH NET>
Date: Tue, 10 Oct 2000 10:03:52 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Donald McLachlan writes:
There's a simpler and better indicator: check to see if the source of the ICMP packet is between the destination of the ICMP packet and the `unreachable' host. If this isn't the case, it's a pretty good bet that the actual origin of the original traffic is behind the ICMP source.
Spoof at host A (but we don't know the host's true address). Sends packets via router B. To unreachable address C. Spoofing Address D (which is where the ICMP unreachable address gets sent. A - B - (Big Internet Cloud) - C | D If I understand you correctly you are saying to check if D is between B and C. That makes no sense to me so I must be misunderstanding you. Can you please elaborate how your method can determine that the spoofer is behind router B (at A)? (which is what my method does)
I'm not suggesting that what I describe determines if D is between B and C (in your diagram); that, as you note, doesn't make much sense. If you check to see if the source of the ICMP packet (B) is between the destination of the ICMP packet (D) and the `unreachable' host (C), and it isn't, then it's a good bet that the spoofing host is behind the ICMP source (B). Actual techniques for network mapping (even the blazingly obvious and inelegant one offered by the ICMP datagram itself) left as an exercise for the reader. - -Steve -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE540vNG3kIaxeRZl8RApLcAJ9lav1lrP16Nd/mD0auWFceFgMBMQCeKkOF XOhWXW7ujAuPgtrXZEht6Js= =/MHG -----END PGP SIGNATURE-----
Current thread:
- An ICMP Type 3 Signature Stephen P. Berry (Oct 04)
- Re: An ICMP Type 3 Signature Russell Fulton (Oct 10)
- Re: An ICMP Type 3 Signature Steffen Dettmer (Oct 11)
- <Possible follow-ups>
- Re: An ICMP Type 3 Signature Donald McLachlan (Oct 05)
- Re: An ICMP Type 3 Signature Stephen P. Berry (Oct 10)
- Re: An ICMP Type 3 Signature Donald McLachlan (Oct 10)
- Re: An ICMP Type 3 Signature Stephen P. Berry (Oct 11)
- Re: An ICMP Type 3 Signature Jay Random (Oct 11)
- Re: An ICMP Type 3 Signature George Bakos (Oct 13)
- Re: An ICMP Type 3 Signature Jay Random (Oct 17)
- Re: An ICMP Type 3 Signature George Bakos (Oct 19)