Security Incidents mailing list archives
icmp unreachables and address spoofing
From: Donald McLachlan <don () MAINFRAME DGRC CRC CA>
Date: Thu, 10 Aug 2000 11:11:03 -0400
Lately I've been watching ICMP host unreachable messages coming back to our site. These packets are interesting because some are being sent to unused addresses of ours: 13:59:18.970932 38.7.135.1 > 142.62.64.9: icmp: host 205.253.207.97 unreachable (ttl 249, id 0) 4500 0038 0000 0000 f901 4675 2607 8701 8e3e 4009 0301 3df3 0000 0000 4508 0028 f266 0000 ff06 5dba 8e3e 4009 cdfd cf61 037f a0b4 1768 13:59:19.595395 38.7.135.1 > 142.62.119.111: icmp: host 205.253.207.97 unreachable (ttl 249, id 0) 4500 0038 0000 0000 f901 0f0f 2607 8701 8e3e 776f 0301 35cf 0000 0000 4508 0028 5ac4 0000 ff06 bdf6 8e3e 776f cdfd cf61 6bdc d81d 7fc5 13:59:20.350454 38.7.135.1 > 142.62.167.111: icmp: host 205.253.207.97 unreachable (ttl 249, id 0) 4500 0038 0000 0000 f901 df0e 2607 8701 8e3e a76f 0301 5553 0000 0000 4508 0028 ba20 0000 ff06 2e9a 8e3e a76f cdfd cf61 cb38 f8e0 df21 I pinged 205.253.207.97, and it was reachable ... I guess it is always possible there were temporary network problems. I pinged 38.7.135.1. the TTL on the ICMP echo reply agrees with the TTL on the ICMP unreachable messages above, so it appears 38.7.135.1 could have sent these packets. Is it possible this is a network mapping attempt against us? That is, will routers send icmp host unreachable messages in reply to these messages? If I'm reading the RFC's correctly error messges should not be sent in response to error messages, so I don't think this is a mapping attempt against us, but please correct me if I am wrong. So what is the purpose of these packets? Are they just spoofing our address as part of a DoS attack, or as cover for other scans of 205.253.207.97? As for where the packets come from, if the ICMP messages really do come from 38.7.135.1, I suspect the "packet from 142.62-net" come from there too as the TTL on the stimulus packet was 0xff (from ff06). This means the stimulus packet either was generated by 38.7.135.1, or originated from a host on a LAN it is directly connected to. Anyone have any theories or suggestions about how to proceed? Don P.S. 38.7.135.1 does not show up in any of the on-line versions of the Bill Cheswick network maps, so I question whether 38.7.135.1 is really a router. P.P.S. packets were recorded Aug 9, 2000. Times are EST (GMT -4).
Current thread:
- icmp unreachables and address spoofing Donald McLachlan (Aug 10)