Re: ICMP 8.255?

["Ofir Arkin" <ofir () sys-security com>]

Larry,

Using an ICMP Echo request with a code field different than zero can be a
scan attempt.
If the targeted host answers and with the reply the code is changed to zero
than the targeted host belongs to the Microsoft Windows based operating
systems.
This is an Active OS fingerprinting method I have discoverd few months ago.

You can find more about if you'll read my research paper "ICMP Usage In
Scanning" available from http://www.sys-security.com

Ofir Arkin
Founder
The Sys-Security Group
http://www.sys-security.com


----- Original Message -----
From: "E. Larry Lidz" <ellidz () eridu uchicago edu>
To: <incidents () securityfocus com>
Sent: Thursday, May 24, 2001 7:56 PM
Subject: ICMP 8.255?


> On a recent scan of our network, we saw ICMP echo requests coming in
> with the ICMP code set to 255. As it's normally supposed to be set to
> zero (and I can't recall ever having seen a non-zero code on an echo
> request), I'm assuming that this was some sort of constructed packet.
> Anyone else seen this before?
>
> Of course, it's possible it's some sort of new DoS attack, though we
> didn't have any reports of machines crashing because of it.
>
> -Larry
>
> ---
> E. Larry Lidz                                        Phone: (773)702-2208
> Sr. Network Security Officer                         Fax:   (773)702-0559
> Network Security Center, The University of Chicago
> PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml