Security Incidents mailing list archives
Re: Should I be concerned about?
From: Blake Frantz <blake () mc net>
Date: Wed, 31 Oct 2001 12:31:41 -0600 (CST)
I'd start by sniffing the port to determin if your host is/isn't sending packets to any of the mentioned nets. I appears you are already running snort -- snort has the capability to parse the payload of Destination Unreachable packets (the payload will be the header of the packet that caused the destination unreachable packet:RFC 792). In the example below I ran snort 1.8.1 with the following command line: "snort -D -c /usr/local/snort/conf/snort.conf -d -e -A full" and got: [**] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] 10/30-10:16:08.150000 0:C0:7B:8E:22:85 -> 0:50:BA:85:72:FE type:0x800 len:0x46 x.x.x.x -> a.a.a.a ICMP TTL:244 TOS:0x0 ID:49661 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: x.x.x.x -> b.b.b.b ICMP TTL:232 TOS:0x6 ID:22452 IpLen:20 DgmLen:68 ** END OF DUMP (payload removed) notice snort extracts the data from the payload (which I removed) In the case of a port uncreachable message snort will show the port info as well. -Blake On Wed, 31 Oct 2001, Jose Carlos Faial wrote:
Hi all, Today morning I start receiving a lot of ICMP packets from a host, apparently in China (if the source address was not spoffed). The first packet was: [2001-10-31 11:52:25] ICMP Destination Unreachable (Port Unreachable) IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX hlen=5 TOS=192 dlen=56 ID=37607 flags=0 offset=0 TTL=235 chksum=27228 ICMP: type=Destination Unreachable code=Port Unreachable checksum=39472 id= seq= Payload: length = 32 000 : 00 00 00 00 45 00 00 4E F2 FE 00 00 68 11 8D DF ....E..N....h... 010 : A3 BA 23 3C CB C1 3F 09 00 89 00 89 00 3A 61 80 ..#<..?......:a. following thousands of packets like this: [2001-10-31 12:42:10] ICMP Time-To-Live Exceeded in Transit IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX hlen=5 TOS=192 dlen=56 ID=49325 flags=0 offset=0 TTL=235 chksum=15510 ICMP: type=Time Exceeded code=0 checksum=48251 id= seq= Payload: length = 32 000 : 00 00 00 00 45 00 00 74 4A A4 00 00 01 11 9D 13 ....E..tJ....... 010 : A3 BA 23 3C CB C1 3F 0A 01 03 01 03 00 60 36 1E ..#<..?......`6. I know that this can be just legitimate ICMP traffic, but I have a bad felling about this activity. I am sure that the target machine never tried to connect to or to send any kind of packet to the 203.193.63.9 machine, so ICMP Time-To-Live would not be expected. They are "unsolicited" packets. My question is "Can a hacker forge an ICMP packet to bypass the firewall and use its payload (payload data is different for each packet received) to send data to a trojan (listening for ICMP traffic on the target machine)? " Thanks to all. faial ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Should I be concerned about? Jose Carlos Faial (Oct 31)
- Re: Should I be concerned about? Blake Frantz (Oct 31)
- <Possible follow-ups>
- RE: Should I be concerned about? Mike Gilles (Oct 31)
- RE: Should I be concerned about? Antonio Vasconcelos (Oct 31)
- RE: Should I be concerned about? Lance Spitzner (Oct 31)