Security Incidents mailing list archives
ICMP timestamp replies
From: "Alan Gallagher, MCSE, CCNA" <alangallagher () YAHOO COM>
Date: Wed, 17 Jan 2001 12:05:06 -0800
Date:Wed, 17 Jan 2001 12:01:12 -0800 (PST)From:"Alan Gallagher, MCSE, CCNA" <alangallagher () yahoo com> | Block addressSubject:Re: Strange ICMP timestamp repliesTo:Florian Weimer <Florian.Weimer () RUS UNI-STUTTGART DE> [input] [input] [input] [input] [input] [input] [input] Add Addresses Yes, One that I know of is: Twinge.c The Twinge program sends a large number of false ICMP control messages very rapidly to a system. This usually results in performance degradation, and may cause the attacked system to crash. This attack is essentially an ICMP flood, but with a particular signature that indicates that the Twinge program was being used. This attack is spoofed. It sends all types of ICMP packets with random IP source addresses: (Redirect Use Gateway, Destination Unreachable, Unknown type, Time exceeded, Timestamp, Timestamp reply, Information Request, Information Reply, Subnet Mask Request, Echo reply, Missing Parameter) Florian Weimer <Florian.Weimer () RUS UNI-STUTTGART DE> wrote: We have observed some strange network packets: 08:42:45; DENY; icmp; $SOURCE1; 14 (); $DEST.23; 0 (); 08:46:55; DENY; icmp; $SOURCE1; 14 (); $DEST.18; 0 (); 08:41:26; DENY; icmp; $SOURCE1; 14 (); $DEST.99; 0 (); 08:46:53; DENY; icmp; $SOURCE1; 14 (); $DEST.18; 0 (); 19:18:49; DENY; icmp; $SOURCE2; 14 (); $DEST.21; 0 (); ($DEST.* is in our network.) These are ICMP timestamp replies, I think. Does anybody know why somebody sends such packets? You can hardly do OS fingerprinting using ICMP timestamp replies. Is there any DoS attack involving spoofed ICMP timestamp requests (so that we're getting the answers of the victim)? -- Florian Weimer Florian.Weimer () RUS Uni-Stuttgart DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 --------------------------------- Do You Yahoo!? Yahoo! Mail Personal Address - Get email at your own domain with Yahoo! Mail.
Current thread:
- ICMP timestamp replies Alan Gallagher, MCSE, CCNA (Jan 17)