Re: An ICMP Type 3 Signature

[Steffen Dettmer <steffen () dett de>]

* Stephen P. Berry wrote on Wed, Oct 04, 2000 at 13:26 -0700:
>       -Neither of the destination addresses (a.b.c.d and i.j.k.l in
>        the above example) had sent any traffic to 194.102.148.213 in
>        the two hours prior to receiving the ICMP datagrams (two hours
>        is as far back as I looked---they've probably -never- sent
>        anything to 194.102.148.213).  In fact i.j.k.l was an
>        unused address that wasn't sending or receiving -anything-
 [...] 

Well, I experimented with ICMP messages when playing with a fast
traceroute method. I made a tool that sends out a lot of UDP
packets, and thus receiving a lot of ICMP time exeededs at "one"
time, and from the included orginal UDP packets the tool builds
the route path (like traceroute, but more faster;
http://sws.dett.de/Simpletraceroute if anyone is interested in
the sources). I found by that, that I receive sometimes a lot of
malformed ICMP messages. They do include some data, but not the
data from the UDP packet that was sent by simpletraceroute. I
thought, that there may be broken TCP/IP implementations out
there, so this may not a bullet-proof thing. So the addresses may
be some "random" data; but really it surprised me a lot, that at
least some of those included (old UDP) packets contained the
right cksum! 

If anyone could explain that "strange behaivior" I would be very
glad about an email (if offtopic for this list, please use PM).

oki,

Steffen

-- 
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.