Security Incidents mailing list archives

RE: ICMP Parameter Problem packets to random addresses

From: "Fernando Cardoso" <fernando.cardoso () whatevernet com>
Date: Tue, 19 Jun 2001 10:10:00 +0100

Greetings All
              Periodically, over the last few months, I have been
seeing bursts of ICMP Parameter Problem (type 12, code 0) like those
below that were picked up by snort today:

Jun 19 10:01:34 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.186.122

[...]

I have been assuming that this traffic is a fall out from a DoS
lauched against 194.42.253.254 (or some host behind it if it is a
router).  One thing that might cause this is ICMP packets that set
random values to type and code fields in a flood attack.  I seem to
remember that one of the common DoS Tools does just that.

Any other thoughts?


I agree with your assumptions, but I don't recall any common DoS tool that
can cause that sort of behaviour. There's an obscure(?) DoS exploit for
Linux 2.2.x Kernel that works by flooding a box with ICMP random stuff.
Here's part of the relevant code:

            icmph.iph.daddr = addrs.sin_addr.s_addr;
            icmph.iph.frag_off = htons(0);
            icmph.icp.icmp_type = random() % 14;
            icmph.icp.icmp_code = random() % 10;
            icmph.icp.icmp_cksum = 0;
            icmph.icp.icmp_id = 2650;
            icmph.icp.icmp_seq = random() % 255;
            icmph.icp.icmp_cksum = in_cksum((int *)&icmph.icp, 1024);

If you are using -d option on snort you can check for what type of
pointer-error ICMP is giving.

Cheers

Fernando

--
Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso 6
Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
email : fernando.cardoso () whatevernet com     http://www.whatevernet.com/



_____________________________________________________________________
                      INTERNET MAIL FOOTER 
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------

Current thread:

ICMP Parameter Problem packets to random addresses Russell Fulton (Jun 18)
- RE: ICMP Parameter Problem packets to random addresses Fernando Cardoso (Jun 19)
- RE: ICMP Parameter Problem packets to random addresses Ofir Arkin (Jun 19)
  - Re: RE: ICMP Parameter Problem packets to random addresses Russell Fulton (Jun 19)
  - Re: ICMP Parameter Problem packets to random addresses Jeff Kell (Jun 19)
    - Re: ICMP Parameter Problem packets to random addresses Tim Winders (Jun 20)