Re: ICMP TYPE 3

From: Kurt Seifried (bt_at_seifried.org)
Date: 09/14/03

  • Next message: Steve Goldsby (ICS): "RE: Cracking a Netscreen password" 
    To: "gr00vy" <groovy2600@yahoo.com.ar>, "pentest" <pen-test@securityfocus.com>
Date: Sat, 13 Sep 2003 22:00:20 -0600

    > While I was doing some researching work I ping a broadcast ip address
    > and for my surprise i recieve an extrange response:

    > Type: 3 (Destination unreachable)
    > Code: 13 (Communication administratively filtered) <<< Weird!

    Pretty much sums it up. Someone has an ACL or filter that replies with an
    ICMP error message (Dest unreachable, reason: Communication administratively
    filtered). This could be done in IPTables for example via "--reject-with"
    (not sure if it will return that specific error) or in PF on OpenBSD with
    "return-cimp" which "causes ICMP messages to be returned for packets which
    match the rule. By default this is an ICMP UNREACHABLE message, however
    this can be overridden by specifying a message as a code or number.". I'm
    sure others like IOS/etc can also do it.

    My bet: someone has a gateway firewall that blocks icmp traffic (and
    possibly others) to broadcast addresses on their network and is polite
    enough to send a response message saying so. Which is the right thing to do
    in my opinion.

    Kurt Seifried, kurt@seifried.org
    A15B BEE5 B391 B9AD B0EF
    AEB0 AD63 0B4E AD56 E574
    http://seifried.org/security/

    ---------------------------------------------------------------------------
    FREE Trial!
    New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL
    and PROFESSIONAL TL software. Fast, reliable vulnerability assessment
    technology powered by the award-winning FoundScan engine. Try it free for 21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
    ----------------------------------------------------------------------------

  • Next message: Steve Goldsby (ICS): "RE: Cracking a Netscreen password"

    Relevant Pages

    • RE: wifi broadcast ICMP messages
      ... > If I have two Pocket PC's that do not know each other, ... > sending a broadcast message will solve the problem. ... the returning icmp reply has the address of the one that I ... The reason I can be sure that my two other hosts receives the icmp broadcast ...
      (microsoft.public.pocketpc.developer.networking)
    • Re: ipchains log
      ... >broadcast using TCP doesn't make any sense. ... Rejected boxes respond ICMP to 62.212.97.194. ... >to broadcast address and 216.190 routers broadcast ICMP. ...
      (comp.os.linux.security)
    • Rule for NPF and Linklogger
      ... Firewall? ... I know about icmp 0 & 8 ... Linky is set for 192.168.1.255 (broadcast) ...
      (comp.security.firewalls)
    • Re: Fastest way to find all active IP on a segment
      ... >> ping the IP Broadcast address. ... Generic ping uses ICMP, too, so I don't see the benefit of using fping. ...
      (comp.unix.aix)