Re: Host Unreachable Scan

From: Ian Jones (ian@dsl081-056-052.dsl-isp.net)
Date: 07/20/01


Message-ID: <016001c110cb$96bda120$0101a8c0@mobile>
From: "Ian Jones" <ian@dsl081-056-052.dsl-isp.net>
To: "Penn, Toby (IT.Ops Security Services)" <TPenn@russell.com>
Subject: Re: Host Unreachable Scan
Date: Thu, 19 Jul 2001 20:25:13 -0700


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> The interesting part is that there was a massive amount of destination
> unreachable traffic coming into the network with NO originating
> echo-request. Let me rephrase... I looked at one of the addresses that
> was sending dest-unreachable packets... there was no originating or
> corresponding echo-request to that IP address. For that matter, there
> was no traffic initiated on my side to that address whatsoever.
>
> The question now becomes... what exposure does this give me? What can be
> gleaned from and ICMP dest-unreachable request? Are you able to map my
> entire network using this technique? Enumeration only? Is there a
> vulnerability out there using this technique?

It makes sense to assume that your IP address was used as a decoy in a scan
using spoofed addresses. The target of the scan returned the error to the
address that it thinks was the originator.

An icmp error can't be used in a scan because a host/router is not supposed
to respond to an ICMP error message.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Making the world safe for geeks.

iQA/AwUBO1eklsAVSpfzXItKEQI7OACgreMygmXqb6gVs3S2a3RqsVrTIQkAoJYg
TQR3n2icRg772qnIHfAx7+v+
=TRS2
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

http://aris.securityfocus.com



Relevant Pages

  • Re: nmap questions
    ... > Also, it happens on an internal network, so the problem does not appear ... is called ICMP error rate limiting. ... And that means a port scan of ... You could go around and lower or remove the error rate throttle on ...
    (Security-Basics)
  • Re: Possible network intrusion - Cant trace IP!
    ... | The situation is the Fsecure Firewall on a number of client machines on our ... | network has blocked traffic reported as the following: ... | Remote port 9500 ... | a way I can sniff for traffic originating from port 9500 on our network to ...
    (microsoft.public.security.virus)
  • Re: Possible network intrusion - Cant trace IP!
    ... | The situation is the Fsecure Firewall on a number of client machines on our ... | network has blocked traffic reported as the following: ... | Remote port 9500 ... | a way I can sniff for traffic originating from port 9500 on our network to ...
    (microsoft.public.security.virus)
  • Re: Possible network intrusion - Cant trace IP!
    ... network has blocked traffic reported as the following: ... Remote port 9500 ... Remote address 192.0.2.42 ... a way I can sniff for traffic originating from port 9500 on our network to ...
    (microsoft.public.security.virus)
  • Re: BT not passing incoming international Caller ID as its not "trusted":out-dated
    ... international callerid to the UK recipient because it can't "trust" ... If the originating network couldn't be relied on to pass on the request, then BT would apply its own flag. ... The number may be withheld by a BT exchange but passed on to another during diversion, and then presented if the latter isn't so concerned about the caller's privacy. ... It may be that the mobile networks don't use the same set of interpretations as BT (based on originating number), though they should be bound by the same regulations. ...
    (uk.telecom)