Re: Possible ICMP DOS spoofed to Nameservers?

From: Ryan Russell (ryan@securityfocus.com)
Date: 12/31/01

• Previous message: Ryan Russell: "Re: Microsoft's Early Xmas Present."
• In reply to: Richard Gilman: "Possible ICMP DOS spoofed to Nameservers?"
• Next in thread: Gary Losito: "Re: Possible ICMP DOS spoofed to Nameservers?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 30 Dec 2001 18:37:45 -0700 (MST)
From: Ryan Russell <ryan@securityfocus.com>
To: Richard Gilman <rgilman@myndzi.com>

On Sun, 30 Dec 2001, Richard Gilman wrote:

> I've been seeing ICMP Type 3 Code 13 messages coming from 2 sites and
> destine to our name servers.

Which is Destination Unreachable, Communication Administratively
Prohibited

> While doing a tcpdump I see no outbound
> packets with a destination directed toward the sites sending the ICMP
> unreachable messages.

That may be because an intermeidate device is the one sending the ICMP
packets, i.e. a router in front of the address you are sending packets to.
You might be sending DNS lookups requests to 1.2.3.4., but the router
2.3.4.5 in front of it may be the one blocking the traffic, and the
source address of the ICMP packets you will get will be 2.3.4.5. That's
one of the thing I really dislike about ICMP.

Fortunately, the info you want is actually contained in the body of the
ICMP packets. That will give you the source and destination addresses
in the packet that was blocked. If you post a hex dump of one of the ICMP
packets, someone can decode it for you.

(Apologies if you already knew this, and simply failed to indicate in your
note.)

                                        Ryan

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Ryan Russell: "Re: Microsoft's Early Xmas Present."
• In reply to: Richard Gilman: "Possible ICMP DOS spoofed to Nameservers?"
• Next in thread: Gary Losito: "Re: Possible ICMP DOS spoofed to Nameservers?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Strange MTU Problem ... Does the router know how to forward the ICMP ... On the local side, a packet has real source address and destination, ... (comp.os.linux.networking) Re: ARP requests on my net? ... MAC should be dumped. ... should dump packets not destined for its MAC. ... Or does IP need the MAC of the destination ... needs to send to the router via ethernet so it ARP's the ... (Fedora) Re: [SLE] Internet Problem Over LAN ... >> sites respond to ICMP packets, and traceroute uses ICMP to do its thing ... > packets to find out hops in between utilizing TTL. ... Some routers simply block all ICMP traffic, which would include the ICMP TTL ... As I said, since they're not the final destination, any router that does this ... (SuSE) Re: set srcIP for ICMP replies, or for locally sourced connections? ... Traceroute doesn't use ICMP, it sends udp packets on port 16667, ... will reply with an ICMP TTL exceeded message. ... simple outbound pings and traceroutes from router CLI sessions. ... (comp.dcom.sys.cisco) Re: using routers ACL to substitute firewall ... > You specifically mentioned ACLs on a Cisco router in your original ... > tcp packets from ANY source IP address (no matter what source TCP ... > port) to ANY destination IP address, ... > IOS ACLs that are applied 'out' an interface filter packets just as ... (comp.security.misc)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)