Security Incidents mailing list archives
Re: Host Unreachable Scan
From: "Ian Jones" <ian () dsl081-056-052 dsl-isp net>
Date: Thu, 19 Jul 2001 20:25:13 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The interesting part is that there was a massive amount of destination unreachable traffic coming into the network with NO originating echo-request. Let me rephrase... I looked at one of the addresses that was sending dest-unreachable packets... there was no originating or corresponding echo-request to that IP address. For that matter, there was no traffic initiated on my side to that address whatsoever. The question now becomes... what exposure does this give me? What can be gleaned from and ICMP dest-unreachable request? Are you able to map my entire network using this technique? Enumeration only? Is there a vulnerability out there using this technique?
It makes sense to assume that your IP address was used as a decoy in a scan using spoofed addresses. The target of the scan returned the error to the address that it thinks was the originator. An icmp error can't be used in a scan because a host/router is not supposed to respond to an ICMP error message. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> Comment: Making the world safe for geeks. iQA/AwUBO1eklsAVSpfzXItKEQI7OACgreMygmXqb6gVs3S2a3RqsVrTIQkAoJYg TQR3n2icRg772qnIHfAx7+v+ =TRS2 -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Host Unreachable Scan Penn, Toby (IT.Ops Security Services) (Jul 19)
- Re: Host Unreachable Scan Ian Jones (Jul 19)