Security Incidents mailing list archives

Re: An ICMP Type 3 Signature

From: Jay Random <scarbaci () YAHOO COM>
Date: Tue, 17 Oct 2000 15:14:30 -0000

That's all well and good, except no packets have

come back from

the target host, merely from backbone routers.


Ofcoarse its comming from the router, few networks
put firewalls on the hosts themselves, thus when
the packet is denied it is denied by a firewall
protecting a network.

Depending on the firewall, "DENY" may or may not

return an

unreachable message.  Where they do return a

nastygram, it is,

AFAIK, a port unreachable (type 3, code 3)

rather than a host

unreachable (type 3, code 1).


If the firewall doesnt return an error it is a
"Drop" command, where the packet just disappears
without a trace.  Initially the "DENY" was used
for debugging purposes, if you were having problem
with connection not getting through, you could set
the firewall to deny, and see if it is causing the
problem from the presence of the nastygram.

The error messages arnt standarded, typically it
is host unreachable...

09:30:41.542747 1.atm3-0.umbc-gw.net.ums.edu >
XXX: icmp: host resnet2-33.resnet.umbc.edu
unreachable - admin prohibited filter

09:55:58.822747 datartn-5.border6.dal.pnap.net >
XXX: icmp: host
port-64-1950130-zzt0prespect.devices.datareturn.net
unreachable - admin prohibited filter

10:01:02.682747 car2-GigabitEthernet1-2.isc.cw.net

XXX: icmp: host coke1.isc.cw.net unreachable -

admin prohibited filter [tos 0x10]

10:07:18.632747 208.55.254.13 > XXX: icmp: host
www.indesp.com unreachable - admin prohibited
filter [tos 0x10]

I have seen a fair bit of the same traffic and

drilled a little deeper.  It

I have generated a fair bit of similar traffic.

seems that the target network is certainly

reachable right now.  I

...
port.  In order for this slow port sweep to be

of any use, the

attacker needs to be listening from fairly close

to the target, while

the packets are being lauched (and spoofed) from

various hosts.

This smacks of a distributed scanning tool.

rnmap will do what we

are looking at, with the added twist of a

compromised box sniffing

just upstream of the target.


What made you dismiss the possibility of a decoy
scan?  Also if he had a compromised sniffing box
upstream from the target, why activly portscan and
give away your activity, when a passive portscan
would be more simple and logical.  How would a
sniffer add any benifit to the distributed scan?

Christopher Gragsone CCSA, MCP
Senior Security Engineer, Verizon

Current thread:

An ICMP Type 3 Signature Stephen P. Berry (Oct 04)
- Re: An ICMP Type 3 Signature Russell Fulton (Oct 10)
- Re: An ICMP Type 3 Signature Steffen Dettmer (Oct 11)
- <Possible follow-ups>
- Re: An ICMP Type 3 Signature Donald McLachlan (Oct 05)
  - Re: An ICMP Type 3 Signature Stephen P. Berry (Oct 10)
- Re: An ICMP Type 3 Signature Donald McLachlan (Oct 10)
  - Re: An ICMP Type 3 Signature Stephen P. Berry (Oct 11)
- Re: An ICMP Type 3 Signature Jay Random (Oct 11)
  - Re: An ICMP Type 3 Signature George Bakos (Oct 13)
- Re: An ICMP Type 3 Signature Jay Random (Oct 17)
  - Re: An ICMP Type 3 Signature George Bakos (Oct 19)