Security Incidents mailing list archives
Re: An ICMP Type 3 Signature
From: Donald McLachlan <don () MAINFRAME DGRC CRC CA>
Date: Thu, 5 Oct 2000 09:50:13 -0400
I've been seeing this traffic for ages, and I have had some luck at locating the source of some of it. As you say someone is spoofing your addresses (presumably as decoys while scanning). 1) try to elicit an icmp error message from the "router" sending the unreachable message (udp traceroute is good). 2) if the TTL of the 2 ICMP messages match, you can probably assume the router sent the original ICMP unreachable message/ As you say the ICMP message includes the IP header of the packet which could not be delivered. 3) Look at the IP header of the included packet. If the TTL is close to (within 1 or 2 of) one of the default initial TTLs (255, 128, 64, 32) you can be pretty sure that the host spoofing your addresses is behind that border router. I actually have a tcpdump script that looks for these packets, dumps them in hex, and e-mails them to me. Good luck, and happy hunting. Don P.S. Now that I've said how we can detect them, I bet they modify the stimulus packets. :-(
Current thread:
- An ICMP Type 3 Signature Stephen P. Berry (Oct 04)
- Re: An ICMP Type 3 Signature Russell Fulton (Oct 10)
- Re: An ICMP Type 3 Signature Steffen Dettmer (Oct 11)
- <Possible follow-ups>
- Re: An ICMP Type 3 Signature Donald McLachlan (Oct 05)
- Re: An ICMP Type 3 Signature Stephen P. Berry (Oct 10)
- Re: An ICMP Type 3 Signature Donald McLachlan (Oct 10)
- Re: An ICMP Type 3 Signature Stephen P. Berry (Oct 11)
- Re: An ICMP Type 3 Signature Jay Random (Oct 11)
- Re: An ICMP Type 3 Signature George Bakos (Oct 13)
- Re: An ICMP Type 3 Signature Jay Random (Oct 17)
- Re: An ICMP Type 3 Signature George Bakos (Oct 19)