Re: ICMP_TIME_EXCEEDED to network address?

[Robert Turner <robert.d.turner () BT COM>]

Hi

> does anyone of you have an idea what this could mean? I see lots of
packets
> from a certain IP to my class C network address (aaa.bbb.ccc.0) with an
ICMP
> type of 11 (Time Exceeded). Could this be a DoS?

We've been seeing this traffic for almost a year now, from wildly differing
sites and locations. Our belief is that it is coming from a network mapping
tool that has been incorrectly (or correctly?) configured. However, I had
not
thought of the idea that it might be a side-effect of a DOS as mentioned in
another posting.

Our understanding is that:

Attacker sends a faked packet to a router with a TTL that is bound to expire
on receipt.
The router (correctly) sends a time-expired packet to the forged address -
usually x.y.z.0 or x.y.0.1.
The recipient of the time-expired packet does one of the following:
  -  Delete Packet at Firewall
  -  Treat packet as a broadcast packet
  -  Treat packet as for a host (if network < /24)
  -  Return host-unreachable packet to return-address, the address of the
     attacker.

This way, a mapping of routers can be discovered (if the third or fourth
options are used). The identity of the attacker can be discovered from the
address contained within the time-exceeded packet.

> From experimentation, different routers/switches behave in different ways
to this attack. Some versions treat the network address exactly the same
as the broadcast address (I remember that this was common about ten to
fifteen years ago), some convert the network address to a full broadcast
address (255.255.255.255) and some just dump the packet.

I hope that this helps, and if anyone knows which tool is being used PLEASE
could you let me know - it has been bugging us for at least six months!

Many thanks,

Robert

Robert Turner
Hadrian Security Solutions
British Telecom
Robert.D.Turner () bt com