Full Disclosure mailing list archives
Re: Re: ICMP DestinationUnreachable Port Unreachable
From: Netragard Security Advisories <advisories () netragard com>
Date: Wed, 16 Aug 2006 23:43:15 -0400
Fetch, I had already considered that actually. I found that it was just back scatter though. Someone must have been doing something naughty and I caught a little bit of the noise. Never the less, weird payloads... but nothing for me to be concerned about. Fetch, Brandon wrote:
Isn't there a new Trojan that's using ICMP to send back it's pilfered data? It's encrypted (if I remember correctly) so no clear-text reading of what's sent and that may explain why you're seeing the random data. The padding of the same characters in individual packets may designate start/stop points in the transmission segments. Just my $.02... Brandon -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Adriel T. Desautels Sent: Wednesday, August 16, 2006 10:30 AM To: Adriel T. Desautels Cc: full-disclosure () lists grok org uk; Valdis.Kletnieks () vt edu Subject: Re: [Full-disclosure] Re: ICMP DestinationUnreachable Port Unreachable Also, I failed to mention that they came in bursts of 3 every 5 minutes on the dot. Adriel T. Desautels wrote:Well, After over 100,000 alerts each with very different payloads the traffic stopped. I do have a list of all of the dropped packets frommyfirewall as well and it appears that it was hitting 3 IP addresseswhichare public facing, not just one. The weird part, is that two of those three aren't even live. So I think that this may have been noise fromadifferent attack... I'd be very interested in decoding the payloads for some of these. Anyone here have any tools to do such a decode? I'd rather not do it manual if at all possible. Valdis.Kletnieks () vt edu wrote:On Wed, 16 Aug 2006 12:33:13 BST, Barrie Dempster said:Although the port 0 in this case is a red herring and irrelevant.Port 0itself when used with TCP/UDP (not ICMP!) can actually be used ontheInternet. A while back I modified netcat and my linux kernel so thatit wouldallow usage of port 0 and was able to connect to a remote machinevia TCPwith that port and communicate fine.Of course, the poor security geek who see a TCP SYN from port 0 toport 0,and then a SYN+ACK reply back, will be going WTF??!? for the rest ofthe day. :)(Another good one to induce head-scratching is anything that does RFC1644-style T/TCP. Anytime you see a packet go by in one directionwithSYN/FIN *and* data, and the reply has SYN/ACK/FIN and data.. ;) data on it... ;)------------------------------------------------------------------------_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Regards, Netragard Vulnerability Research Team advisories at netragard dot com http://www.netragard.com ------------------------- "We make I.T. Secure" BullGuard Anti-virus has scanned this e-mail and found it clean. Try BullGuard for free: www.bullguard.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Re: ICMP DestinationUnreachable Port Unreachable Fetch, Brandon (Aug 16)
- Re: Re: ICMP DestinationUnreachable Port Unreachable Netragard Security Advisories (Aug 16)