Re: ICMP type 3, an attack?

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 02/04/02

From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Mon, 4 Feb 2002 08:36:05 +0000 (UTC)

< Jem Berkes
>Feb 3 03:02:22 karma kernel: FW_INPUT IN=eth0 OUT= MAC=XX..
(NET-UUNETCUSTB40)UUNET Technologies,Inc.
(NET-UMANITOBA)University of Manitoba
>LEN=56 TOS=0x00 PREC=0x00
255-240=15 hops
    ~ why ID was zero? patched kernel or crafted packet?
ICMP_DEST_UNREACH 3 Destination Unreachable
ICMP_HOST_UNREACH 1 Host Unreachable
have not data
IPTOS_THROUGHPUT 0x08 (application dependent)
DF bit was not seted
>PROTO=TCP SPT=26344 DPT=28051
        ~ why WINDOW size was zero?
TCP flags was not seted? NULL probe?

x.x.x.x:26344 WINDOW=0, TCP flags NULL?, spoofed SRC=
 | 3hops
 V,1[] ID=0
 | .
 | 15hops V
 | unreached
 V was sitting between x.x.x.x and
The x.x.x.x spoofed SRC= because how many hops wasn't
symmetry (3 : 15 hops).
If there were not crafted and my passive fingerprint DB is not too
obsolete. AFAIK Solaris or Linux reply ICMP [] quoted error message. : Cisco IOS, Solaris or Linux
 x.x.x.x : Solaris or compromised Solaris (dtspcd exploit?)
I'm wondering "WINDOW=0".
 * Window scan? nmap -sW -D,...?
 * x.x.x.x was very crowd busy? (DoS-ed?)
 * Throttling? (variant of LaBrea?)
 * RST packet?
I'm wondering "ID=0".
 * Whole packet above were crafted?
 * patched kernel?

Have you tried traceroute to and from and nmap probing with os fingerprint (or xprobe) to and If how many hops nearly equal 15
between and, ICMP packet not include
[] quoted was real. If not, whole packet above were crafted by
someone. Can you reach to from with
regular packet?

Best Regards,
RainbowHat. I support FULL DISCLOSURE.

Relevant Pages

  • Re: Cisco Wireless -N Home Router WRT120N
    ... Tracing route to over a maximum of 30 hops ... the delay is in the operating system, ... the packet arrives, the CPU has to stop watching the computer pr0n-show ...
  • Re: OT: problem
    ... Steve Hodgson wrote: ... hops away takes much longer than 9 hops. ... You need a packet analyser to read it in detail. ... a web proxy must be a pretty high ...
  • RE: ipforwarding enabled, what can I do
    ... Loose source routing- means you set "Loose Source Routing" ... hops is due to IP header size limitations. ... Your IP packet will travel ... This list is provided by the SecurityFocus Security Intelligence Alert ...
  • Re: port=1026&reason=ICMPsent
    ... On Mon, 28 Nov 2005, in the Usenet newsgroup, in article ... So what that may be trying to say is that you received a UDP packet from ... yet if this started with 255, it's 115 hops away - highly unlikely. ... appears to be trying to send messenger spam to ...
  • Re: Using The Internet To Store Data
    ... The "store data on the Internet" part. ... The TTL field is specifically designed to prevent packets from bouncing ... That's always hops in the real world. ... packet full of data reaches the end of your route and starts the return ...