Re: ICMP type 3, an attack?

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 02/04/02

From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Mon, 4 Feb 2002 08:36:05 +0000 (UTC)

< Jem Berkes
>Feb 3 03:02:22 karma kernel: FW_INPUT IN=eth0 OUT= MAC=XX..
(NET-UUNETCUSTB40)UUNET Technologies,Inc.
(NET-UMANITOBA)University of Manitoba
>LEN=56 TOS=0x00 PREC=0x00
255-240=15 hops
    ~ why ID was zero? patched kernel or crafted packet?
ICMP_DEST_UNREACH 3 Destination Unreachable
ICMP_HOST_UNREACH 1 Host Unreachable
have not data
IPTOS_THROUGHPUT 0x08 (application dependent)
DF bit was not seted
>PROTO=TCP SPT=26344 DPT=28051
        ~ why WINDOW size was zero?
TCP flags was not seted? NULL probe?

x.x.x.x:26344 WINDOW=0, TCP flags NULL?, spoofed SRC=
 | 3hops
 V,1[] ID=0
 | .
 | 15hops V
 | unreached
 V was sitting between x.x.x.x and
The x.x.x.x spoofed SRC= because how many hops wasn't
symmetry (3 : 15 hops).
If there were not crafted and my passive fingerprint DB is not too
obsolete. AFAIK Solaris or Linux reply ICMP [] quoted error message. : Cisco IOS, Solaris or Linux
 x.x.x.x : Solaris or compromised Solaris (dtspcd exploit?)
I'm wondering "WINDOW=0".
 * Window scan? nmap -sW -D,...?
 * x.x.x.x was very crowd busy? (DoS-ed?)
 * Throttling? (variant of LaBrea?)
 * RST packet?
I'm wondering "ID=0".
 * Whole packet above were crafted?
 * patched kernel?

Have you tried traceroute to and from and nmap probing with os fingerprint (or xprobe) to and If how many hops nearly equal 15
between and, ICMP packet not include
[] quoted was real. If not, whole packet above were crafted by
someone. Can you reach to from with
regular packet?

Best Regards,
RainbowHat. I support FULL DISCLOSURE.