Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP Redirect Attack

From: Phil Wood <cpw () lanl gov>
Date: Wed, 9 May 2001 13:31:20 -0600
Folks,

I guess it's time for DecodeIP to come out of the closet.  I've attached
the perl script that generated ASCII headers (you are all familiar with
from reading the early RFC's) from tcpdump -x or any old hex.  It's a
good idea to have the hex start with the first byte of the IP header. %^)

If you do use it, I'd appreciate if you could send me any comments or changes.

Thanks,

On Tue, May 08, 2001 at 03:45:37PM -0500, Claude Bailey wrote:

Could you send me a copy of the script used to print this?

Thanks.

-----Original Message-----
From: Phil Wood [mailto:cpw () lanl gov]
Sent: Friday, April 06, 2001 4:59 PM
To: Bob Van Cleef
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] ICMP Redirect Attack


I took one of your packets and passed it through a script that
breaks out the content of an icmp redirect:

              RFC791: INTERNET PROTOCOL, September 1981  
   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | VER=4 | IHL=5 | ROU | | | | | | Total Length = 131            |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Identification = 43336        | | | | Fragment Offset = 0     |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |    TTL=49     | Protocol = 6  | Header Checksum = 65477       |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Source Address  = 192.86.6.23                                 |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Destination Address  = 212.223.69.26                          |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        RFC793: TRANSMISSION CONTROL PROTOCOL, September 1981
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Source Port = 25              | Destination Port = 4827       |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Sequence Number = 569280001                                   |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Acknowledgment Number = 3478854381                            |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | OFF=5 | | | | | | | |A|P| | | |  Window = 4096                |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Checksum = 42403              | Urgent Pointer = 0            |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                                Data
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  :  32323020  6D657469  732E6D69  63726F75    : 220 metis.microu :
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

It shows that some box, 212.223.69.26, made a connection to your
smtp (25) server.  It shows your server sent a perfectly valid response
(beginning with 220 metis.microu ...) back to that box. 
Some other box (17), which appears to be on the route to 26:

  ...
  19  ser0.gbw1.ecore.net (212.63.129.46)  273.805 ms  302.637 ms  259.433
ms
  20  212.223.69.17 (212.223.69.17)  272.953 ms  264.606 ms  287.861 ms
  21  212.223.69.26 (212.223.69.26)  292.220 ms  262.796 ms  260.749 ms

sent your smtp server the redirect.  Normally, redirects work between 
routers on a shared media.  It is a way to say, "hey, I delievered your
packet,
but in the future you should send it to xyz which is my buddy on the same
routing net).  However, you did send it to xyz (D4 DF 45 1A ==
212.223.69.26)!

So, how about this, the box is/was "promiscuous" for email destined for
hosts
on it's backside.  BTW, UDP packets (traceroute) go right through it.  Hmm,
so do packets destined to smtp:

  Trying 212.223.69.26...
  Connected to 212.223.69.26.
  Escape character is '^]'.
  220 mail.news-master.de ESMTP Lyris service ready

I wonder if someone sent me a redirect.  Should of had my ears on.

In a nutshell, it's junk, probably the result of some poor configuration.
Maybe there are others out in snortland that have the rest of the story.

On Fri, Apr 06, 2001 at 01:34:56PM -0700, Bob Van Cleef wrote:


How do you read an ICMP redirect alert? I got a bunch of these... but
looking at the dumps left me sort of confused. ( A not untypical state. :)

[**] IDS135/icmp-redirect_host [**]
04/05-22:14:29.448113 212.223.69.17 -> 192.86.6.23
ICMP TTL:244 TOS:0xC0 ID:43421 IpLen:20 DgmLen:179
Type:5  Code:1  REDIRECT
D4 DF 45 1A 45 00 00 83 A9 48 00 00 31 06 FF C5  ..E.E....H..1...

    ^ xyz ^   ^ start of your packet

C0 56 06 17 D4 DF 45 1A 00 19 12 DB 21 EE 86 01  .V....E.....!...
CF 5B 1A ED 50 18 10 00 A5 A3 00 00 32 32 30 20  .[..P.......220
6D 65 74 69 73 2E 6D 69 63 72 6F 75 6E 69 74 79  metis.microunity
2E 63 6F 6D 20 45 53 4D 54 50 20 53 65 6E 64 6D  .com ESMTP Sendm
61 69 6C 20 38 2E 38 2E 38 2F 38 2E 38 2E 38 3B  ail 8.8.8/8.8.8;
20 54 68 75 2C 20 35 20 41 70 72 20 32 30 30 31   Thu, 5 Apr 2001
20 32 32 3A 31 37 3A 35 39 20 2D 30 37 30 30 20   22:17:59 -0700
28 50 44 54 29 0D 0A 01 51 80 00 01 00 02 A3 00  (PDT)...Q.......
00 04 CE 0E 01 00 00 00 00 01 00                 ...........


192.86.6.23 is metis.microunity.com, a mail server.  The contents
of this packet looks like something I would expect to be coming
from metis, not being sent to metis.

There were 13 alerts, the contents were all different, yet most
looked like something metis would be sending out... but not exactly.

[**] IDS135/icmp-redirect_host [**]
04/05-16:47:53.006829 212.223.69.17 -> 192.86.6.23
ICMP TTL:244 TOS:0xC0 ID:55381 IpLen:20 DgmLen:157
Type:5  Code:1  REDIRECT
D4 DF 45 1A 45 00 00 6D 0C 5B 00 00 31 06 9C C9  ..E.E..m.[..1...
C0 56 06 17 D4 DF 45 1A 00 19 05 F1 01 C0 3E 5C  .V....E.......>\
FD 84 55 85 50 18 10 00 F6 3D 00 00 32 35 30 20  ..U.P....=..250
6D 65 74 69 73 2E 6D 69 63 72 6F 75 6E 69 74 79  metis.microunity
2E 63 6F 6D 20 48 65 6C 6C 6F 20 5B 32 31 32 2E  .com Hello [212.
32 32 33 2E 36 39 2E 32 36 5D 2C 20 70 6C 65 61  223.69.26], plea
73 65 64 20 74 6F 20 6D 65 65 74 20 79 6F 75 0D  sed to meet you.
0A 31 36 3A 01 00 00 00 31 20 2D 30 37 30 30 20  .16:....1 -0700
28 50 44 54 29                                   (PDT)

If metis was talking to 212.223.69.17, why would it think it was
talking to 212.223.69.26?

Bob

<>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>

Bob Van Cleef, Member of Technical Staff         (408) 734-8100
MicroUnity Systems Engineering, Inc.         FAX (408) 734-8136
376 Martin Ave., Santa Clara, CA 95050  vancleef () microunity com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov

Attachment: DecodeIP
Description:

Previous By Date Next
Previous By Thread Next

Current thread: