ICMP Usage In Scanning v2.0 - Research Paper

["Ofir Arkin" <ofir () itcon-ltd com>]

I have finished the second version of my research paper "ICMP usage in 
scanning". The first version was published in July 1st, 2000.

Introduction to Version 2.0
Quite a large number of new OS fingerprinting methods using ICMP, which 
I have discovered are introduced with this revision. Among those methods,
some can be used in order to identify Microsoft Windows 2000 machines; 
One would allow us to distinguish between Microsoft Windows operating 
system machines and the rest of the world; Another would allow us 
to distinguish between SUN Solaris machines and the rest of the world. 
More methods are introduced in the paper.
 
I have also tried to be accurate as possible with data presented in this 
paper. Few tables have been added to the paper mapping the behavior of 
the various operating systems I have used. These tables describe the 
results I got from the various machines after querying them with the 
various tests introduced with this paper. 

I have also corrected and tuned the information, trying to pinpoint exactly
which OS will do what.

I hope the second version would be beneficial in understanding the hazards 
the ICMP protocol introduce if you do not filter it correctly.

For corrections/ additions/ suggestions for this research paper, please 
send email to ofir () itcon-ltd com. Further Information and updates would 
be posted to http://www.sys-security.com. 


> From the Introduction to Version 1.0:

"The Internet Control Message Protocol is one of the debate full 
protocols in the TCP/IP protocol suite regarding its security hazards. 
There is no consent between the experts in charge for securing Internet 
networks (Firewall Administrators, Network Administrators, System
Administrators, Security Officers, etc.) regarding the actions that 
should be taken to secure their network infrastructure in order to 
prevent those risks.

In this paper I have tried to outline what can be done with the ICMP 
protocol regarding scanning."

The paper deals with plain Host Detection techniques, Advanced Host 
Detection techniques, Inverse Mapping, Trace routing, OS finger 
printing methods with ICMP, and which ICMP traffic should be 
filtered on a Filtering Device.

The paper can be downloaded from http://www.sys-security.com.
http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.0.pdf. ~600kb.
http://www.sys-security.com/archive/papers/ICMP_Scanning_v2.0.ps.  ~2.55mb.



Cheers

Ofir Arkin  [ofir () itcon-ltd com]
Senior Security Analyst
ITcon, Israel.
http://www.itcon-ltd.com

Personal Web page: http://www.sys-security.com

"Opinions expressed do not necessarily
represent the views of my employer."

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards