RE: Should I be concerned about?

From: Mike Gilles (mike.gilles@itmtech.com)
Date: 10/31/01


Message-ID: <210D139C03E0D311BF4B00500473124D3B0184@SVEN>
From: Mike Gilles <mike.gilles@itmtech.com>
To: faial@rio-de-janeiro.sns.slb.com, incidents@securityfocus.com
Subject: RE: Should I be concerned about?
Date: Wed, 31 Oct 2001 13:16:15 -0500

For any data to actually be transferred the packets would have to move up
the OSI model. (e.g. start a TCP session) So, in short, no I wouldn't be
overly concerned with this traffic.

-----Original Message-----
From: faial@rio-de-janeiro.sns.slb.com
[mailto:faial@rio-de-janeiro.sns.slb.com]
Sent: Wednesday, October 31, 2001 2:06 PM
To: incidents@securityfocus.com
Subject: Should I be concerned about?

Hi all,

        Today morning I start receiving a lot of ICMP packets from a host,
apparently in China (if the source address was not spoffed). The first
packet was:

[2001-10-31 11:52:25] ICMP Destination Unreachable (Port Unreachable)
IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX
hlen=5 TOS=192 dlen=56 ID=37607 flags=0 offset=0 TTL=235 chksum=27228
ICMP: type=Destination Unreachable code=Port Unreachable
checksum=39472 id= seq=
Payload: length = 32
000 : 00 00 00 00 45 00 00 4E F2 FE 00 00 68 11 8D DF ....E..N....h...
010 : A3 BA 23 3C CB C1 3F 09 00 89 00 89 00 3A 61 80 ..#&lt;..?......:a.

        following thousands of packets like this:

[2001-10-31 12:42:10] ICMP Time-To-Live Exceeded in Transit
IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX
hlen=5 TOS=192 dlen=56 ID=49325 flags=0 offset=0 TTL=235 chksum=15510
ICMP: type=Time Exceeded code=0
checksum=48251 id= seq=
Payload: length = 32
000 : 00 00 00 00 45 00 00 74 4A A4 00 00 01 11 9D 13 ....E..tJ.......
010 : A3 BA 23 3C CB C1 3F 0A 01 03 01 03 00 60 36 1E ..#&lt;..?......`6.

I know that this can be just legitimate ICMP traffic, but I have a bad
felling about this activity. I am sure that the target machine never tried
to connect to or to send any kind of packet to the 203.193.63.9 machine, so
ICMP Time-To-Live would not be expected. They are "unsolicited" packets.

My question is "Can a hacker forge an ICMP packet to bypass the firewall
and use its payload (payload data is different for each packet received) to
send data to a trojan (listening for ICMP traffic on the target machine)? "

Thanks to all.

faial

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: unexpected ICMP host unreachable - no worries?
    ... an attack?". ... You observed ICMP backscatter traffic. ... I'm guessing this packet is remote controlling command to distributed ... easily relate that outgoing scan or outbound flood packets after detect ...
    (comp.os.linux.security)
  • Should I be concerned about?
    ... ICMP: type=Destination Unreachable code=Port Unreachable ... Payload: length = 32 ... to connect to or to send any kind of packet to the 203.193.63.9 machine, ... send data to a trojan (listening for ICMP traffic on the target machine)? ...
    (Incidents)
  • Re: Should I be concerned about?
    ... It is the home of the "ICMP Usage In Scanning" research project." ... snort seems to offer more information about the original packet ... payload; here's a sample from a thread ( ...
    (Incidents)
  • Re: Why some hosts in Internet not prefer to be traceroute-d ?
    ... i.e. not to send a TTL exceeded ICMP packet back to the host. ... This block may be not generating ICMP type 11 (most ... exceeded" reply associated with a UDP packet, ...
    (comp.os.linux.networking)
  • Re: Interesting fw log: "ICMP type 3 not embeddable"
    ... I've seen ICMP type 3 embedded TCP or UDP datagram but never seen ICMP ... REJECT incoming ICMP 3 packet) or is using ICMP mis-implementation OS ... is running BSD code based some router. ...
    (comp.os.linux.security)