Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Host Unreachable Scan

From: "Penn, Toby (IT.Ops Security Services)" <TPenn () russell com>
Date: Thu, 19 Jul 2001 18:00:10 -0700
Some interesting traffic came through my firewall today.  We allow the
following ICMP traffic:

        outbound echo-request 

        inbound echo-reply
        inbound dest-unreachable
        inbound time-exceeded inbound


The interesting part is that there was a massive amount of destination
unreachable traffic coming into the network with NO originating
echo-request.  Let me rephrase...  I looked at one of the addresses that was
sending dest-unreachable packets... there was no originating or
corresponding echo-request to that IP address.  For that matter, there was
no traffic initiated on my side to that address whatsoever.

The question now becomes... what exposure does this give me?  What can be
gleaned from and ICMP dest-unreachable request?  Are you able to map my
entire network using this technique?  Enumeration only?  Is there a
vulnerability out there using this technique?

-Toby Penn


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: