Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

icmp unreachables and address spoofing

From: Donald McLachlan <don () MAINFRAME DGRC CRC CA>
Date: Thu, 10 Aug 2000 11:11:03 -0400
Lately I've been watching ICMP host unreachable messages coming
back to our site.  These packets are interesting because some are being
sent to unused addresses of ours:

13:59:18.970932 38.7.135.1 > 142.62.64.9: icmp: host 205.253.207.97 unreachable
(ttl 249, id 0)
                         4500 0038 0000 0000 f901 4675 2607 8701
                         8e3e 4009 0301 3df3 0000 0000 4508 0028
                         f266 0000 ff06 5dba 8e3e 4009 cdfd cf61
                         037f a0b4 1768
13:59:19.595395 38.7.135.1 > 142.62.119.111: icmp: host 205.253.207.97 unreachable (ttl 249, id 0)
                         4500 0038 0000 0000 f901 0f0f 2607 8701
                         8e3e 776f 0301 35cf 0000 0000 4508 0028
                         5ac4 0000 ff06 bdf6 8e3e 776f cdfd cf61
                         6bdc d81d 7fc5
13:59:20.350454 38.7.135.1 > 142.62.167.111: icmp: host 205.253.207.97 unreachable (ttl 249, id 0)
                         4500 0038 0000 0000 f901 df0e 2607 8701
                         8e3e a76f 0301 5553 0000 0000 4508 0028
                         ba20 0000 ff06 2e9a 8e3e a76f cdfd cf61
                         cb38 f8e0 df21

I pinged 205.253.207.97, and it was reachable ... I guess it is always
possible there were temporary network problems.

I pinged 38.7.135.1. the TTL on the ICMP echo reply agrees with the
TTL on the ICMP unreachable messages above, so it appears 38.7.135.1
could have sent these packets.

Is it possible this is a network mapping attempt against us?  That is, will
routers send icmp host unreachable messages in reply to these messages?
If I'm reading the RFC's correctly error messges should not be sent in
response to error messages, so I don't think this is a mapping attempt
against us, but please correct me if I am wrong.

So what is the purpose of these packets?  Are they just spoofing our address
as part of a DoS attack, or as cover for other scans of 205.253.207.97?

As for where the packets come from, if the ICMP messages really do come from
38.7.135.1, I suspect the "packet from 142.62-net" come from there
too as the TTL on the stimulus packet was 0xff (from ff06).  This
means the stimulus packet either was generated by 38.7.135.1, or
originated from a host on a LAN it is directly connected to.

Anyone have any theories or suggestions about how to proceed?

Don

P.S. 38.7.135.1 does not show up in any of the on-line versions of the
     Bill Cheswick network maps, so I question whether 38.7.135.1
     is really a router.

P.P.S. packets were recorded Aug 9, 2000.  Times are EST (GMT -4).
Previous By Date Next
Previous By Thread Next

Current thread: