ICMP unreachable question

• Previous message: nobody: "xprobe 0.2"
• Next in thread: Penetration Testing: "Re: ICMP unreachable question"
• Reply: Penetration Testing: "Re: ICMP unreachable question"
• Reply: Ofir Arkin: "RE: ICMP unreachable question"
• Reply: Crist J. Clark: "Re: ICMP unreachable question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Steve Culligan" <stephen_culligan@hotmail.com>
To: pen-test@securityfocus.com
Subject: ICMP unreachable question
Date: Fri, 26 Oct 2001 11:05:24 +0100
Message-ID: <F91g5I0XyymaXcWrSvG00019948@hotmail.com>

I'm interested in a particular ICMP packet which seems to change the client
/ servers MTU size.
The scenario is like this
client----------->Router-vpn-vpn-vpn-vpn-vpn-Router --------------->Firewall
------------->Server
- Client initiates a connection with the server and starts to transmit data.
- Router places its ESP header on the packets coming from the server which
brings the MTU over the maximum size
- Router sends the following packet back to the server
        icmp: 172.*.*.* unreachable - need to frag (mtu 1454)
- ICMP packet from the router gets blocked by the firewall and the
connection is eventually lost as the router cannot handle this MTU size.

but

If the Firewall permits the ICMP packet from the router through to the
server, the server will lower its MTU and continue the connection.

So my question is , Can this be used as a denial of service attack to
continually send these ICMP packets to a server to confuse it or bring it
down.
Anybody had any experience with this or know any tools which can generate
these ICMP reachable packets ?

Regards,

Steve Culligan

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Previous message: nobody: "xprobe 0.2"
• Next in thread: Penetration Testing: "Re: ICMP unreachable question"
• Reply: Penetration Testing: "Re: ICMP unreachable question"
• Reply: Ofir Arkin: "RE: ICMP unreachable question"
• Reply: Crist J. Clark: "Re: ICMP unreachable question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: ICMP and discard oversize frame ... I am running a FreeBSD router with two ethernet cards. ... the MTU to 800 in order to generate ICMP packet "Fragmentation needed ... But there is no ICMP sent. ... (comp.unix.bsd.freebsd.misc) Re: ICMP unreachable question ... > I'm interested in a particular ICMP packet which seems to change the client ... > - Client initiates a connection with the server and starts to transmit data. ... > continually send these ICMP packets to a server to confuse it or bring it ... This particular attack is one of the less ... (Pen-Test) Re: NNTP servers ... a typical ping is an icmp packet echo request. ... If the server was up, then you should have been able to see it with telnet ... (news.software.readers) Re: NNTP servers ... a typical ping is an icmp packet echo request. ... If the server was up, then you should have been able to see it with telnet ... (news.software.readers) Re: Network Health ... Yep, ping simply means sending an ICMP packet to the remote server, and ... and anyway won't tell you if the web server (I ... There is also a question of weather to use Ping or to use the "try to load a ... (microsoft.public.dotnet.languages.csharp)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint