RE: Should I be concerned about?

From: Lance Spitzner (lance@honeynet.org)
Date: 10/31/01


Date: Wed, 31 Oct 2001 12:43:04 -0600 (CST)
From: Lance Spitzner <lance@honeynet.org>
To: Mike Gilles <mike.gilles@itmtech.com>
Subject: RE: Should I be concerned about?
Message-ID: <Pine.LNX.4.30.0110311241230.979-100000@marge.spitzner.net>

On Wed, 31 Oct 2001, Mike Gilles wrote:

> For any data to actually be transferred the packets would have to move up
> the OSI model. (e.g. start a TCP session) So, in short, no I wouldn't be
> overly concerned with this traffic.

*sigh*

I'm afraid you have just fallen victim to one of the most common
problems within the security community, underestimating the
enemy. Anything is possible.

             http://www.phrack.org/show.php?p=51&a=6

> -----Original Message-----
> From: faial@rio-de-janeiro.sns.slb.com
>
> Today morning I start receiving a lot of ICMP packets from a host,
> apparently in China (if the source address was not spoffed). The first
> packet was:
>
> [2001-10-31 11:52:25] ICMP Destination Unreachable (Port Unreachable)
> IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX
> hlen=5 TOS=192 dlen=56 ID=37607 flags=0 offset=0 TTL=235 chksum=27228
> ICMP: type=Destination Unreachable code=Port Unreachable
> checksum=39472 id= seq=
> Payload: length = 32
> 000 : 00 00 00 00 45 00 00 4E F2 FE 00 00 68 11 8D DF ....E..N....h...
> 010 : A3 BA 23 3C CB C1 3F 09 00 89 00 89 00 3A 61 80 ..#&lt;..?......:a.
>
> following thousands of packets like this:
>
> [2001-10-31 12:42:10] ICMP Time-To-Live Exceeded in Transit
> IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX
> hlen=5 TOS=192 dlen=56 ID=49325 flags=0 offset=0 TTL=235 chksum=15510
> ICMP: type=Time Exceeded code=0
> checksum=48251 id= seq=
> Payload: length = 32
> 000 : 00 00 00 00 45 00 00 74 4A A4 00 00 01 11 9D 13 ....E..tJ.......
> 010 : A3 BA 23 3C CB C1 3F 0A 01 03 01 03 00 60 36 1E ..#&lt;..?......`6.
>
> I know that this can be just legitimate ICMP traffic, but I have a bad
> felling about this activity. I am sure that the target machine never tried
> to connect to or to send any kind of packet to the 203.193.63.9 machine, so
> ICMP Time-To-Live would not be expected. They are "unsolicited" packets.
>
> My question is "Can a hacker forge an ICMP packet to bypass the firewall
> and use its payload (payload data is different for each packet received) to
> send data to a trojan (listening for ICMP traffic on the target machine)? "

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: Packet Payload
    ... storage you would need and if it would cause a packet loss issue. ... concerned about then I would really look a doing some sort of capture. ... Subject: Packet Payload ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • Re: Packet Manipulation advice request.
    ... > payload of a known UDP packet. ... not sure whether IPTables could be used. ... > will manipulate the payload of the packet by replacing current padding ...
    (comp.os.linux.networking)
  • Re: Packet Manipulation advice request.
    ... > payload of a known UDP packet. ... not sure whether IPTables could be used. ... > will manipulate the payload of the packet by replacing current padding ...
    (comp.os.linux.security)
  • RE: Should I be concerned about?
    ... ICMP: type=Destination Unreachable code=Port Unreachable ... Payload: length = 32 ... to connect to or to send any kind of packet to the 203.193.63.9 machine, ... send data to a trojan (listening for ICMP traffic on the target machine)? ...
    (Incidents)
  • Re: Should I be concerned about?
    ... snort -- snort has the capability to parse the payload of Destination ... Type:3 Code:13 DESTINATION UNREACHABLE: PACKET FILTERED ... > send data to a trojan (listening for ICMP traffic on the target machine)? ...
    (Incidents)