Re: ICMP type 3, an attack?

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 02/04/02


From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Mon, 4 Feb 2002 08:36:05 +0000 (UTC)


< Jem Berkes
8<
>Feb 3 03:02:22 karma kernel: FW_INPUT IN=eth0 OUT= MAC=XX..
>SRC=157.130.91.153
(NET-UUNETCUSTB40)UUNET Technologies,Inc.
>DST=130.179.134.23
(NET-UMANITOBA)University of Manitoba
>LEN=56 TOS=0x00 PREC=0x00
usual
>TTL=240
255-240=15 hops
>ID=0
    ~ why ID was zero? patched kernel or crafted packet?
>PROTO=ICMP TYPE=3 CODE=1
ICMP_DEST_UNREACH 3 Destination Unreachable
ICMP_HOST_UNREACH 1 Host Unreachable
>[
>SRC=130.179.134.23
>DST=24.229.129.72
(NETBLK-PENTEL-CABLE)PenTeleData Inc.
>LEN=40
have not data
>TOS=0x08
IPTOS_THROUGHPUT 0x08 (application dependent)
>PREC=0x00
>TTL=252
255-252=3(hops)
>ID=19623
DF bit was not seted
>PROTO=TCP SPT=26344 DPT=28051
>WINDOW=0
        ~ why WINDOW size was zero?
>RES=0x00
TCP flags was not seted? NULL probe?
>URGP=0
>]

x.x.x.x:26344 WINDOW=0, TCP flags NULL?, spoofed SRC=130.179.134.23
 | 3hops
 V
157.130.91.153:ICMP3,1[] ID=0
 | .
 | 15hops V
 | 24.229.129.72:28051 unreached
 V
130.179.134.23:ICMP

157.130.91.153 was sitting between x.x.x.x and 24.229.129.72.
The x.x.x.x spoofed SRC=130.179.134.23 because how many hops wasn't
symmetry (3 : 15 hops).
If there were not crafted and my passive fingerprint DB is not too
obsolete. AFAIK Solaris or Linux reply ICMP [] quoted error message.
 157.130.91.153 : Cisco IOS, Solaris or Linux
 x.x.x.x : Solaris or compromised Solaris (dtspcd exploit?)
I'm wondering "WINDOW=0".
 * Window scan? nmap -sW -D 130.179.134.23,...?
 * x.x.x.x was very crowd busy? (DoS-ed?)
 * Throttling? (variant of LaBrea?)
 * RST packet?
I'm wondering "ID=0".
 * Whole packet above were crafted?
 * patched kernel?

Have you tried traceroute to 157.130.91.153 and 24.229.129.72 from
130.179.134.23 and nmap probing with os fingerprint (or xprobe) to
157.130.91.153 and 24.229.129.72? If how many hops nearly equal 15
between 130.179.134.23 and 157.130.91.153, ICMP packet not include
[] quoted was real. If not, whole packet above were crafted by
someone. Can you reach to 24.229.129.72 from 130.179.134.23 with
regular packet?

-- 
Best Regards,
RainbowHat. I support FULL DISCLOSURE.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7



Relevant Pages

  • Re: Cisco Wireless -N Home Router WRT120N
    ... Tracing route to 192.168.100.1 over a maximum of 30 hops ... the delay is in the operating system, ... the packet arrives, the CPU has to stop watching the computer pr0n-show ...
    (alt.internet.wireless)
  • Re: OT: del.icio.us problem
    ... Steve Hodgson wrote: ... hops away takes much longer than 9 hops. ... You need a packet analyser to read it in detail. ... a web proxy must be a pretty high ...
    (uk.comp.sys.mac)
  • RE: ipforwarding enabled, what can I do
    ... Loose source routing- means you set "Loose Source Routing" ... hops is due to IP header size limitations. ... Your IP packet will travel ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: port=1026&reason=ICMPsent
    ... On Mon, 28 Nov 2005, in the Usenet newsgroup alt.computer.security, in article ... So what that may be trying to say is that you received a UDP packet from ... yet if this started with 255, it's 115 hops away - highly unlikely. ... xx.xxx.xx.151 appears to be trying to send messenger spam to xx.xxx.xx.85 ...
    (alt.computer.security)
  • Re: Using The Internet To Store Data
    ... The "store data on the Internet" part. ... The TTL field is specifically designed to prevent packets from bouncing ... That's always hops in the real world. ... packet full of data reaches the end of your route and starts the return ...
    (sci.crypt)