Re: Should I be concerned about?
From: Blake Frantz (blake@mc.net)Date: 10/31/01
- Previous message: Mike Gilles: "RE: Should I be concerned about?"
- In reply to: Jose Carlos Faial: "Should I be concerned about?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 31 Oct 2001 12:31:41 -0600 (CST) From: Blake Frantz <blake@mc.net> To: Jose Carlos Faial <faial@rio-de-janeiro.sns.slb.com> Subject: Re: Should I be concerned about? Message-ID: <Pine.BSI.4.05L.10110311212170.18493-100000@maxx.mc.net>
I'd start by sniffing the port to determin if your host is/isn't sending
packets to any of the mentioned nets. I appears you are already running
snort -- snort has the capability to parse the payload of Destination
Unreachable packets (the payload will be the header of the packet that
caused the destination unreachable packet:RFC 792). In the example below
I ran snort 1.8.1 with the following command line:
"snort -D -c /usr/local/snort/conf/snort.conf -d -e -A full"
and got:
[**] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
10/30-10:16:08.150000 0:C0:7B:8E:22:85 -> 0:50:BA:85:72:FE type:0x800 len:0x46
x.x.x.x -> a.a.a.a ICMP TTL:244 TOS:0x0 ID:49661 IpLen:20 DgmLen:56
Type:3 Code:13 DESTINATION UNREACHABLE: PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
x.x.x.x -> b.b.b.b ICMP TTL:232 TOS:0x6 ID:22452 IpLen:20 DgmLen:68
** END OF DUMP
(payload removed)
notice snort extracts the data from the payload (which I removed)
In the case of a port uncreachable message snort will show the port info
as well.
-Blake
On Wed, 31 Oct 2001, Jose Carlos Faial wrote:
> Hi all,
>
> Today morning I start receiving a lot of ICMP packets from a host,
> apparently in China (if the source address was not spoffed). The first
> packet was:
>
> [2001-10-31 11:52:25] ICMP Destination Unreachable (Port Unreachable)
> IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX
> hlen=5 TOS=192 dlen=56 ID=37607 flags=0 offset=0 TTL=235 chksum=27228
> ICMP: type=Destination Unreachable code=Port Unreachable
> checksum=39472 id= seq=
> Payload: length = 32
> 000 : 00 00 00 00 45 00 00 4E F2 FE 00 00 68 11 8D DF ....E..N....h...
> 010 : A3 BA 23 3C CB C1 3F 09 00 89 00 89 00 3A 61 80 ..#<..?......:a.
>
> following thousands of packets like this:
>
> [2001-10-31 12:42:10] ICMP Time-To-Live Exceeded in Transit
> IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX
> hlen=5 TOS=192 dlen=56 ID=49325 flags=0 offset=0 TTL=235 chksum=15510
> ICMP: type=Time Exceeded code=0
> checksum=48251 id= seq=
> Payload: length = 32
> 000 : 00 00 00 00 45 00 00 74 4A A4 00 00 01 11 9D 13 ....E..tJ.......
> 010 : A3 BA 23 3C CB C1 3F 0A 01 03 01 03 00 60 36 1E ..#<..?......`6.
>
> I know that this can be just legitimate ICMP traffic, but I have a bad
> felling about this activity. I am sure that the target machine never tried
> to connect to or to send any kind of packet to the 203.193.63.9 machine, so
> ICMP Time-To-Live would not be expected. They are "unsolicited" packets.
>
> My question is "Can a hacker forge an ICMP packet to bypass the firewall
> and use its payload (payload data is different for each packet received) to
> send data to a trojan (listening for ICMP traffic on the target machine)? "
>
> Thanks to all.
>
> faial
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Mike Gilles: "RE: Should I be concerned about?"
- In reply to: Jose Carlos Faial: "Should I be concerned about?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
