Snort mailing list archives
Re: ICMP Redirect Attack
From: Phil Wood <cpw () lanl gov>
Date: Wed, 9 May 2001 13:31:20 -0600
Folks, I guess it's time for DecodeIP to come out of the closet. I've attached the perl script that generated ASCII headers (you are all familiar with from reading the early RFC's) from tcpdump -x or any old hex. It's a good idea to have the hex start with the first byte of the IP header. %^) If you do use it, I'd appreciate if you could send me any comments or changes. Thanks, On Tue, May 08, 2001 at 03:45:37PM -0500, Claude Bailey wrote:
Could you send me a copy of the script used to print this? Thanks. -----Original Message----- From: Phil Wood [mailto:cpw () lanl gov] Sent: Friday, April 06, 2001 4:59 PM To: Bob Van Cleef Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] ICMP Redirect Attack I took one of your packets and passed it through a script that breaks out the content of an icmp redirect: RFC791: INTERNET PROTOCOL, September 1981 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | VER=4 | IHL=5 | ROU | | | | | | Total Length = 131 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification = 43336 | | | | Fragment Offset = 0 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TTL=49 | Protocol = 6 | Header Checksum = 65477 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address = 192.86.6.23 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address = 212.223.69.26 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ RFC793: TRANSMISSION CONTROL PROTOCOL, September 1981 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port = 25 | Destination Port = 4827 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number = 569280001 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number = 3478854381 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OFF=5 | | | | | | | |A|P| | | | Window = 4096 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum = 42403 | Urgent Pointer = 0 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Data +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ : 32323020 6D657469 732E6D69 63726F75 : 220 metis.microu : +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ It shows that some box, 212.223.69.26, made a connection to your smtp (25) server. It shows your server sent a perfectly valid response (beginning with 220 metis.microu ...) back to that box. Some other box (17), which appears to be on the route to 26: ... 19 ser0.gbw1.ecore.net (212.63.129.46) 273.805 ms 302.637 ms 259.433 ms 20 212.223.69.17 (212.223.69.17) 272.953 ms 264.606 ms 287.861 ms 21 212.223.69.26 (212.223.69.26) 292.220 ms 262.796 ms 260.749 ms sent your smtp server the redirect. Normally, redirects work between routers on a shared media. It is a way to say, "hey, I delievered your packet, but in the future you should send it to xyz which is my buddy on the same routing net). However, you did send it to xyz (D4 DF 45 1A == 212.223.69.26)! So, how about this, the box is/was "promiscuous" for email destined for hosts on it's backside. BTW, UDP packets (traceroute) go right through it. Hmm, so do packets destined to smtp: Trying 212.223.69.26... Connected to 212.223.69.26. Escape character is '^]'. 220 mail.news-master.de ESMTP Lyris service ready I wonder if someone sent me a redirect. Should of had my ears on. In a nutshell, it's junk, probably the result of some poor configuration. Maybe there are others out in snortland that have the rest of the story. On Fri, Apr 06, 2001 at 01:34:56PM -0700, Bob Van Cleef wrote:How do you read an ICMP redirect alert? I got a bunch of these... but looking at the dumps left me sort of confused. ( A not untypical state. :) [**] IDS135/icmp-redirect_host [**] 04/05-22:14:29.448113 212.223.69.17 -> 192.86.6.23 ICMP TTL:244 TOS:0xC0 ID:43421 IpLen:20 DgmLen:179 Type:5 Code:1 REDIRECT D4 DF 45 1A 45 00 00 83 A9 48 00 00 31 06 FF C5 ..E.E....H..1...^ xyz ^ ^ start of your packetC0 56 06 17 D4 DF 45 1A 00 19 12 DB 21 EE 86 01 .V....E.....!... CF 5B 1A ED 50 18 10 00 A5 A3 00 00 32 32 30 20 .[..P.......220 6D 65 74 69 73 2E 6D 69 63 72 6F 75 6E 69 74 79 metis.microunity 2E 63 6F 6D 20 45 53 4D 54 50 20 53 65 6E 64 6D .com ESMTP Sendm 61 69 6C 20 38 2E 38 2E 38 2F 38 2E 38 2E 38 3B ail 8.8.8/8.8.8; 20 54 68 75 2C 20 35 20 41 70 72 20 32 30 30 31 Thu, 5 Apr 2001 20 32 32 3A 31 37 3A 35 39 20 2D 30 37 30 30 20 22:17:59 -0700 28 50 44 54 29 0D 0A 01 51 80 00 01 00 02 A3 00 (PDT)...Q....... 00 04 CE 0E 01 00 00 00 00 01 00 ........... 192.86.6.23 is metis.microunity.com, a mail server. The contents of this packet looks like something I would expect to be coming from metis, not being sent to metis. There were 13 alerts, the contents were all different, yet most looked like something metis would be sending out... but not exactly. [**] IDS135/icmp-redirect_host [**] 04/05-16:47:53.006829 212.223.69.17 -> 192.86.6.23 ICMP TTL:244 TOS:0xC0 ID:55381 IpLen:20 DgmLen:157 Type:5 Code:1 REDIRECT D4 DF 45 1A 45 00 00 6D 0C 5B 00 00 31 06 9C C9 ..E.E..m.[..1... C0 56 06 17 D4 DF 45 1A 00 19 05 F1 01 C0 3E 5C .V....E.......>\ FD 84 55 85 50 18 10 00 F6 3D 00 00 32 35 30 20 ..U.P....=..250 6D 65 74 69 73 2E 6D 69 63 72 6F 75 6E 69 74 79 metis.microunity 2E 63 6F 6D 20 48 65 6C 6C 6F 20 5B 32 31 32 2E .com Hello [212. 32 32 33 2E 36 39 2E 32 36 5D 2C 20 70 6C 65 61 223.69.26], plea 73 65 64 20 74 6F 20 6D 65 65 74 20 79 6F 75 0D sed to meet you. 0A 31 36 3A 01 00 00 00 31 20 2D 30 37 30 30 20 .16:....1 -0700 28 50 44 54 29 (PDT) If metis was talking to 212.223.69.17, why would it think it was talking to 212.223.69.26? Bob<> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><>Bob Van Cleef, Member of Technical Staff (408) 734-8100 MicroUnity Systems Engineering, Inc. FAX (408) 734-8136 376 Martin Ave., Santa Clara, CA 95050 vancleef () microunity com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov
Attachment:
DecodeIP
Description:
Current thread:
- Re: ICMP Redirect Attack Phil Wood (May 09)