Security Incidents mailing list archives
Re: Should I be concerned about?
From: faial () rio-de-janeiro sns slb com (Jose Carlos Faial)
Date: Thu, 01 Nov 2001 14:05:12 -0300
Thanks to all.I found the problem source: CheckPoint software sending VPN data to a unreachable host. This time was just legitimate traffic.
Thanks to all again. At 07:21 PM 10/31/2001 -0800, John Sage wrote:
Jose: See: http://sys-security.com/archive/securityfocus/icmptools.htmlOfir Arkin (who seems to hang out a lot on the snort list..) has quite a bit to say about icmp usage for nefarious purposes.The description of his web site/business is:"Sys-Security.com is a web site dedicated to computer security research. It is the home of the "ICMP Usage In Scanning" research project."Also, snort seems to offer more information about the original packet payload; here's a sample from a thread ( http://www.incidents.org/archives/intrusions/msg01716.html ) that turned out to be an example of backscatter: forged "source" IP addresses that were originating in a DoS against an ISP in India back in September...Sep 14 19:14:55 greatwall kernel: Packet log: input ACCEPT ppp0 PROTO=1 208.51.243.18:3 12.82.133.214:1 L=56 S=0x00 I=0 F=0x0000 T=242 (#49) 09/14-19:14:55.316850 208.51.243.18 -> 12.82.133.214 ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:1 DESTINATION UNREACHABLE: HOST UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 12.82.133.214:38844 -> 202.46.194.5:16925 TCP TTL:233 TOS:0x8 ID:40770 IpLen:20 DgmLen:40 Seq: 0x81079A10 Ack: 0xB3444000 ** END OF DUMP 00 00 00 00 45 08 00 28 9F 42 40 00 E9 06 D4 28 ....E..(.B@....( 0C 52 85 D6 CA 2E C2 05 97 BC 42 1D 81 07 9A 10 .R........B.....(hmm.. Actually this is both ipchains and snort.) The point here is that the "ORIGINAL DATAGRAM DUMP" is forged. My firewall (allegedly at "12.82.133.214") *never* sends out tcp packets on port 38844...Do you have any comparable detail for the packets you're seeing? - John Jose Carlos Faial wrote:Hi all,Today morning I start receiving a lot of ICMP packets from a host, apparently in China (if the source address was not spoffed). The first packet was:[2001-10-31 11:52:25] ICMP Destination Unreachable (Port Unreachable) IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX hlen=5 TOS=192 dlen=56 ID=37607 flags=0 offset=0 TTL=235 chksum=27228 ICMP: type=Destination Unreachable code=Port Unreachable checksum=39472 id= seq= Payload: length = 32 000 : 00 00 00 00 45 00 00 4E F2 FE 00 00 68 11 8D DF ....E..N....h... 010 : A3 BA 23 3C CB C1 3F 09 00 89 00 89 00 3A 61 80 ..#<..?......:a. following thousands of packets like this: [2001-10-31 12:42:10] ICMP Time-To-Live Exceeded in Transit IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX hlen=5 TOS=192 dlen=56 ID=49325 flags=0 offset=0 TTL=235 chksum=15510 ICMP: type=Time Exceeded code=0 checksum=48251 id= seq= Payload: length = 32 000 : 00 00 00 00 45 00 00 74 4A A4 00 00 01 11 9D 13 ....E..tJ....... 010 : A3 BA 23 3C CB C1 3F 0A 01 03 01 03 00 60 36 1E ..#<..?......`6.I know that this can be just legitimate ICMP traffic, but I have a bad felling about this activity. I am sure that the target machine never tried to connect to or to send any kind of packet to the 203.193.63.9 machine, so ICMP Time-To-Live would not be expected. They are "unsolicited" packets. My question is "Can a hacker forge an ICMP packet to bypass the firewall and use its payload (payload data is different for each packet received) to send data to a trojan (listening for ICMP traffic on the target machine)? "Thanks to all. faial---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
José Carlos Faial Engineer Schlumberger Network Solutions Rio de Janeiro - Brazil http://www.slb.com/nws -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GCS d- s--:+ a? C+++$ UL+++ P++ L++++ E--- W++ N+ !o K- w--- O- M+ V PS+ !PE Y+ PGP++ t+@ 5+ X++ R tv- b+++ DI++++ D+++ G++ e++ h++ r++ y? ------END GEEK CODE BLOCK------ WARNING: This message was quadruple ROT13'ed for your protection. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Should I be concerned about? John Sage (Oct 31)
- Re: Should I be concerned about? Jose Carlos Faial (Nov 01)