ICMP timestamp replies

["Alan Gallagher, MCSE, CCNA" <alangallagher () YAHOO COM>]

Date:Wed, 17 Jan 2001 12:01:12 -0800 (PST)From:"Alan Gallagher, MCSE, CCNA" <alangallagher () yahoo com>  | Block 
addressSubject:Re: Strange ICMP timestamp repliesTo:Florian Weimer <Florian.Weimer () RUS UNI-STUTTGART DE> [input]   
[input]   [input]   [input]   [input]   [input]   [input]  Add Addresses

 Yes,

One that I know of is:

 Twinge.c

The Twinge program sends a large number of false ICMP control messages very rapidly to a system. This usually results 
in performance degradation, and may cause the attacked system to crash. This attack is essentially an ICMP flood, but 
with a particular signature that indicates that the Twinge program was being used. This attack is spoofed.   It sends 
all types of ICMP packets with random IP source addresses: (Redirect Use Gateway, Destination Unreachable, Unknown 
type, Time exceeded, Timestamp, Timestamp reply, Information Request, Information Reply, Subnet Mask Request, Echo 
reply, Missing Parameter)






  Florian Weimer <Florian.Weimer () RUS UNI-STUTTGART DE> wrote:

We have observed some strange network packets:

08:42:45; DENY; icmp; $SOURCE1; 14 (); $DEST.23; 0 ();
08:46:55; DENY; icmp; $SOURCE1; 14 (); $DEST.18; 0 ();
08:41:26; DENY; icmp; $SOURCE1; 14 (); $DEST.99; 0 ();
08:46:53; DENY; icmp; $SOURCE1; 14 (); $DEST.18; 0 ();
19:18:49; DENY; icmp; $SOURCE2; 14 (); $DEST.21; 0 ();

($DEST.* is in our network.)

These are ICMP timestamp replies, I think. Does anybody know why
somebody sends such packets? You can hardly do OS fingerprinting
using ICMP timestamp replies.

Is there any DoS attack involving spoofed ICMP timestamp requests (so
that we're getting the answers of the victim)?

--
Florian Weimer Florian.Weimer () RUS Uni-Stuttgart DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898






---------------------------------
Do You Yahoo!?
Yahoo! Mail Personal Address - Get email at your own domain with Yahoo! Mail.