Security Incidents mailing list archives
Re: ICMP 8.255?
From: "Ofir Arkin" <ofir () sys-security com>
Date: Fri, 25 May 2001 19:17:34 +0200
Larry, Using an ICMP Echo request with a code field different than zero can be a scan attempt. If the targeted host answers and with the reply the code is changed to zero than the targeted host belongs to the Microsoft Windows based operating systems. This is an Active OS fingerprinting method I have discoverd few months ago. You can find more about if you'll read my research paper "ICMP Usage In Scanning" available from http://www.sys-security.com Ofir Arkin Founder The Sys-Security Group http://www.sys-security.com ----- Original Message ----- From: "E. Larry Lidz" <ellidz () eridu uchicago edu> To: <incidents () securityfocus com> Sent: Thursday, May 24, 2001 7:56 PM Subject: ICMP 8.255?
On a recent scan of our network, we saw ICMP echo requests coming in with the ICMP code set to 255. As it's normally supposed to be set to zero (and I can't recall ever having seen a non-zero code on an echo request), I'm assuming that this was some sort of constructed packet. Anyone else seen this before? Of course, it's possible it's some sort of new DoS attack, though we didn't have any reports of machines crashing because of it. -Larry --- E. Larry Lidz Phone: (773)702-2208 Sr. Network Security Officer Fax: (773)702-0559 Network Security Center, The University of Chicago PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml
Current thread:
- ICMP 8.255? E. Larry Lidz (May 24)
- Re: ICMP 8.255? Ofir Arkin (May 25)
- ICMP codes Kurt Seifried (May 25)
- Re: ICMP 8.255? Ofir Arkin (May 25)