Security Incidents mailing list archives

Re: ICMP time exceed in-transit packets

From: paul () MOQUIJO COM (Paul Cardon)
Date: Sun, 2 Jan 2000 16:38:02 -0500


Dave Dittrich wrote:

OK. So you have a bunch of packets, which are hard to trace, look like
they are coming from all over the Internet, get successfully delivered
to the target you intend, and has embedded in it at most 64 bytes of the
original, purposely messed up packet.


First problem is that the intended target is a network address of the form
x.x.x.0.  I have been seeing this hitting a class B that where the third octet is
being selected randomly and covered nearly the full range of Class C subnets.  Many
of these are not even in use (nice, efficient use of address space, I know).  Most
of the devices returning the ICMP time exceeded do appear to be routers.

Second problem is that the contents are 64 bits, not bytes.  If Chris had said 8
bytes, it would have been clearer to most people upon first read.

These ICMP time exceeded messages consist of:

1 byte type: 11
1 byte code: 0 (for TTL equals 0 during transit)
2 byte checksum
4 byte unused: must be 0
original IP header (including options)
8 bytes of original IP datagram

In my case, the original IP datagram is an ICMP echo request of which I see only
the required fields (type, code, checksum, identifier, sequence number).  The
identifier and sequence number are both set to 0.  In  other words, if there is
optional data in the original echo request, we don't see it.

Looking at the original IP header, the header length is 20 bytes and the total
length is 92 bytes.  Subtracting for the ICMP message header, this means that there
is potentially 92 - 20 - 8 = 64 bytes in the optional data portion of the original
ICMP echo request.  What it is we can't know without seeing the original packet.

-paul

Current thread:

Re: port 1150 and 4833 ?, (continued)
- - - Re: port 1150 and 4833 ? Frameloss, Frameloss (Jan 10)
    - Re: port 119 R a v e N (Jan 05)
    - Re: port 119 Scott Laws (Jan 04)
    - Writeup: it. TLD going astray Arrigo Triulzi (Jan 03)
    - Computer Forsenics System Administrator (Jan 03)
    - Re: Computer Forsenics-> www.fish.com/forensics mike (Jan 03)
    - traceroute ICMP packets Laszlo Fabian (Jan 04)
    - Re: traceroute ICMP packets M J (Jan 04)
    - Re: traceroute ICMP packets Larry Canup (Jan 18)
  - Re: ICMP time exceed in-transit packets Dave Dittrich (Jan 01)
    - Re: ICMP time exceed in-transit packets Paul Cardon (Jan 02)
  - Y2K bug in Shadow IDS Patrick Oonk (Jan 02)
  - Port Scan on 371... M. Edward Wilborne III (Jan 02)
    - Re: Port Scan on 371... Etaoin Shrdlu (Jan 02)
    - Re: Port Scan on 371... Christopher Wilson (Jan 02)
    - correlation between porscans and local activity Thomas Molina (Jan 02)
    - Re: correlation between porscans and local activity Sean Sosik-Hamor (Jan 03)
    - ADMROCKS McNab, Chris (Jan 03)
    - R: correlation between porscans and local activity Raistlin (Jan 04)
    - Re: R: correlation between porscans and local activity Michael Babcock (Jan 12)
    - Re: correlation between porscans and local activity R a v e N (Jan 04)