Re: An ICMP Type 3 Signature

[Donald McLachlan <don () MAINFRAME DGRC CRC CA>]

> From spb () meshuggeneh net Mon Oct  9 15:53 EDT 2000
> To: Donald McLachlan <don () mainframe dgrc crc ca>
>
> In message <200010051350.JAA09245 () obelix dgrc crc ca>, Donald McLachlan writes:
>
> > As you say the ICMP message includes the IP header of the packet which could
> > not be delivered.
> > 3) Look at the IP header of the included packet.  If the TTL is close to
> >   (within 1 or 2 of) one of the default initial TTLs (255, 128, 64, 32)
> >   you can be pretty sure that the host spoofing your addresses is behind
> >   that border router.
>
> There's a simpler and better indicator:  check to see if the source
> of the ICMP packet is between the destination of the ICMP packet and
> the `unreachable' host.  If this isn't the case, it's a pretty good
> bet that the actual origin of the original traffic is behind the ICMP source.

Spoof at host A (but we don't know the host's true address).
Sends packets via router B.
To unreachable address C.
Spoofing Address D (which is where the ICMP unreachable address gets sent.

        A - B - (Big Internet Cloud) - C
                        |
                        D

If I understand you correctly you are saying to check if D is between
B and C.  That makes no sense to me so I must be misunderstanding you.
Can you please elaborate how your method can determine that the spoofer is
behind router B (at A)?  (which is what my method does)