Security Incidents mailing list archives

Re: An ICMP Type 3 Signature

From: Donald McLachlan <don () MAINFRAME DGRC CRC CA>
Date: Thu, 5 Oct 2000 09:50:13 -0400

I've been seeing this traffic for ages, and I have had some luck at locating
the source of some of it.

As you say someone is spoofing your addresses (presumably as decoys
while scanning).

1) try to elicit an icmp error message from the "router" sending the
   unreachable message (udp traceroute is good).
2) if the TTL of the 2 ICMP messages match, you can probably assume the
   router sent the original ICMP unreachable message/

As you say the ICMP message includes the IP header of the packet which could
not be delivered.

3) Look at the IP header of the included packet.  If the TTL is close to
   (within 1 or 2 of) one of the default initial TTLs (255, 128, 64, 32)
   you can be pretty sure that the host spoofing your addresses is behind
   that border router.

I actually have a tcpdump script that looks for these packets, dumps them
in hex, and e-mails them to me.

Good luck, and happy hunting.

Don

P.S.  Now that I've said how we can detect them, I bet they modify the
      stimulus packets.  :-(

Current thread:

An ICMP Type 3 Signature Stephen P. Berry (Oct 04)
- Re: An ICMP Type 3 Signature Russell Fulton (Oct 10)
- Re: An ICMP Type 3 Signature Steffen Dettmer (Oct 11)
- <Possible follow-ups>
- Re: An ICMP Type 3 Signature Donald McLachlan (Oct 05)
  - Re: An ICMP Type 3 Signature Stephen P. Berry (Oct 10)
- Re: An ICMP Type 3 Signature Donald McLachlan (Oct 10)
  - Re: An ICMP Type 3 Signature Stephen P. Berry (Oct 11)
- Re: An ICMP Type 3 Signature Jay Random (Oct 11)
  - Re: An ICMP Type 3 Signature George Bakos (Oct 13)
- Re: An ICMP Type 3 Signature Jay Random (Oct 17)
  - Re: An ICMP Type 3 Signature George Bakos (Oct 19)