Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: ICMP DestinationUnreachable Port Unreachable

From: Netragard Security Advisories <advisories () netragard com>
Date: Wed, 16 Aug 2006 23:43:15 -0400
Fetch,
    I had already considered that actually. I found that it was just
back scatter though. Someone must have been doing something naughty and
I caught a little bit of the noise. Never the less, weird payloads...
but nothing for me to be concerned about.

Fetch, Brandon wrote:

Isn't there a new Trojan that's using ICMP to send back it's pilfered
data?  It's encrypted (if I remember correctly) so no clear-text reading
of what's sent and that may explain why you're seeing the random data.

The padding of the same characters in individual packets may designate
start/stop points in the transmission segments.

Just my $.02...

Brandon

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Adriel
T. Desautels
Sent: Wednesday, August 16, 2006 10:30 AM
To: Adriel T. Desautels
Cc: full-disclosure () lists grok org uk; Valdis.Kletnieks () vt edu
Subject: Re: [Full-disclosure] Re: ICMP DestinationUnreachable Port
Unreachable

Also,
    I failed to mention that they came in bursts of 3 every 5 minutes on
the dot.

Adriel T. Desautels wrote:
  

Well,
    After over 100,000 alerts each with very different payloads the
traffic stopped. I do have a list of all of the dropped packets from
    

my
  

firewall as well and it appears that it was hitting 3 IP addresses
    

which
  

are public facing, not just one. The weird part, is that two of those
three aren't even live. So I think that this may have been noise from
    

a
  

different attack...

    I'd be very interested in decoding the payloads for some of these.
Anyone here have any tools to do such a decode? I'd rather not do it
manual if at all possible.

Valdis.Kletnieks () vt edu wrote:
  
    

On Wed, 16 Aug 2006 12:33:13 BST, Barrie Dempster said:
  
    
      

Although the port 0 in this case is a red herring and irrelevant.
        

Port 0
  

itself when used with TCP/UDP (not ICMP!) can actually be used on
        

the
  

Internet. A while back I modified netcat and my linux kernel so that
        

it would
  

allow usage of port 0 and was able to connect to a remote machine
        

via TCP
  

with that port and communicate fine.
    
      
        

Of course, the poor security geek who see a TCP SYN from port 0 to
      

port 0,
  

and then a SYN+ACK reply back, will be going WTF??!? for the rest of
      

the day. :)
  

(Another good one to induce head-scratching is anything that does
RFC1644-style T/TCP.  Anytime you see a packet go by in one direction
      

with
  

SYN/FIN *and* data, and the reply has SYN/ACK/FIN and data.. ;)
data on it... ;)
  

      

------------------------------------------------------------------------
  

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    
      

  
    



  



-- 


Regards, 
        Netragard Vulnerability Research Team
        advisories at netragard dot com
        http://www.netragard.com
        -------------------------
        "We make I.T. Secure"




BullGuard Anti-virus has scanned this e-mail and found it clean.
Try BullGuard for free: www.bullguard.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: