Re: An ICMP Type 3 Signature

[George Bakos <alpinista () BIGFOOT COM>]

On 17 Oct 00, at 15:14, Jay Random wrote:

> What made you dismiss the possibility of a decoy
> scan?  Also if he had a compromised sniffing box
> upstream from the target, why activly portscan and
> give away your activity, when a passive portscan
> would be more simple and logical.  How would a
> sniffer add any benifit to the distributed scan?

Assuming this is not a decoyed scan,  a listening presence
upstream would be necessary to interpret responses to purely
spoofed stimuli.  Yes, of course passive techniques would be a
more stealthy, although somewhat luck-dependant, option for him.

A decoy scan is not completely ruled out. However, a decoy scan
should ideally use reachable, yet unresponsive host addresses so
as not to risk icmp 3 messages being sent back to the scan
target, providing data for a process of elimination.

In order for the embedded packets' ttls to vary as I have seen,
network conditions would need to fluctuate considerably (not too
unlikely), he would need to be a moving target, or his tool would be
crafting variable initial ttl values.  As they are all within a realistic
range below 32 (win9x??), this last possiblility is slim.

Until I have my grubby paws on an offender's machine, I can merely
speculate.

Cheers!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Any sufficiently advanced technology
 is indistinguishable from magic.
 Arthur C. Clarke
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 George Bakos
 alpinista () bigfoot com