Re: Host Unreachable Scan

["Ian Jones" <ian () dsl081-056-052 dsl-isp net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> The interesting part is that there was a massive amount of destination
> unreachable traffic coming into the network with NO originating
> echo-request.  Let me rephrase...  I looked at one of the addresses that
> was sending dest-unreachable packets... there was no originating or
> corresponding echo-request to that IP address.  For that matter, there
> was no traffic initiated on my side to that address whatsoever.
>
> The question now becomes... what exposure does this give me?  What can be
> gleaned from and ICMP dest-unreachable request?  Are you able to map my
> entire network using this technique?  Enumeration only?  Is there a
> vulnerability out there using this technique?

It makes sense to assume that your IP address was used as a decoy in a scan
using spoofed addresses. The target of the scan returned the error to the
address that it thinks was the originator.

An icmp error can't be used in a scan because a host/router is not supposed
to respond to an ICMP error message.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Making the world safe for geeks.

iQA/AwUBO1eklsAVSpfzXItKEQI7OACgreMygmXqb6gVs3S2a3RqsVrTIQkAoJYg
TQR3n2icRg772qnIHfAx7+v+
=TRS2
-----END PGP SIGNATURE-----




----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com