Security Incidents mailing list archives
Re: ICMP_TIME_EXCEEDED to network address?
From: Robert Turner <robert.d.turner () BT COM>
Date: Thu, 1 Feb 2001 08:58:12 -0000
Hi
does anyone of you have an idea what this could mean? I see lots of
packets
from a certain IP to my class C network address (aaa.bbb.ccc.0) with an
ICMP
type of 11 (Time Exceeded). Could this be a DoS?
We've been seeing this traffic for almost a year now, from wildly differing sites and locations. Our belief is that it is coming from a network mapping tool that has been incorrectly (or correctly?) configured. However, I had not thought of the idea that it might be a side-effect of a DOS as mentioned in another posting. Our understanding is that: Attacker sends a faked packet to a router with a TTL that is bound to expire on receipt. The router (correctly) sends a time-expired packet to the forged address - usually x.y.z.0 or x.y.0.1. The recipient of the time-expired packet does one of the following: - Delete Packet at Firewall - Treat packet as a broadcast packet - Treat packet as for a host (if network < /24) - Return host-unreachable packet to return-address, the address of the attacker. This way, a mapping of routers can be discovered (if the third or fourth options are used). The identity of the attacker can be discovered from the address contained within the time-exceeded packet.
From experimentation, different routers/switches behave in different ways
to this attack. Some versions treat the network address exactly the same as the broadcast address (I remember that this was common about ten to fifteen years ago), some convert the network address to a full broadcast address (255.255.255.255) and some just dump the packet. I hope that this helps, and if anyone knows which tool is being used PLEASE could you let me know - it has been bugging us for at least six months! Many thanks, Robert Robert Turner Hadrian Security Solutions British Telecom Robert.D.Turner () bt com
Current thread:
- Re: ICMP_TIME_EXCEEDED to network address? Robert Turner (Feb 01)
- <Possible follow-ups>
- Re: ICMP_TIME_EXCEEDED to network address? Melissa (Feb 01)
- Re: ICMP_TIME_EXCEEDED to network address? Edwards, David (JTD) (Feb 01)