Re: ICMP type 3, an attack?

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 02/04/02


From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Mon, 4 Feb 2002 08:36:05 +0000 (UTC)


< Jem Berkes
8<
>Feb 3 03:02:22 karma kernel: FW_INPUT IN=eth0 OUT= MAC=XX..
>SRC=157.130.91.153
(NET-UUNETCUSTB40)UUNET Technologies,Inc.
>DST=130.179.134.23
(NET-UMANITOBA)University of Manitoba
>LEN=56 TOS=0x00 PREC=0x00
usual
>TTL=240
255-240=15 hops
>ID=0
    ~ why ID was zero? patched kernel or crafted packet?
>PROTO=ICMP TYPE=3 CODE=1
ICMP_DEST_UNREACH 3 Destination Unreachable
ICMP_HOST_UNREACH 1 Host Unreachable
>[
>SRC=130.179.134.23
>DST=24.229.129.72
(NETBLK-PENTEL-CABLE)PenTeleData Inc.
>LEN=40
have not data
>TOS=0x08
IPTOS_THROUGHPUT 0x08 (application dependent)
>PREC=0x00
>TTL=252
255-252=3(hops)
>ID=19623
DF bit was not seted
>PROTO=TCP SPT=26344 DPT=28051
>WINDOW=0
        ~ why WINDOW size was zero?
>RES=0x00
TCP flags was not seted? NULL probe?
>URGP=0
>]

x.x.x.x:26344 WINDOW=0, TCP flags NULL?, spoofed SRC=130.179.134.23
 | 3hops
 V
157.130.91.153:ICMP3,1[] ID=0
 | .
 | 15hops V
 | 24.229.129.72:28051 unreached
 V
130.179.134.23:ICMP

157.130.91.153 was sitting between x.x.x.x and 24.229.129.72.
The x.x.x.x spoofed SRC=130.179.134.23 because how many hops wasn't
symmetry (3 : 15 hops).
If there were not crafted and my passive fingerprint DB is not too
obsolete. AFAIK Solaris or Linux reply ICMP [] quoted error message.
 157.130.91.153 : Cisco IOS, Solaris or Linux
 x.x.x.x : Solaris or compromised Solaris (dtspcd exploit?)
I'm wondering "WINDOW=0".
 * Window scan? nmap -sW -D 130.179.134.23,...?
 * x.x.x.x was very crowd busy? (DoS-ed?)
 * Throttling? (variant of LaBrea?)
 * RST packet?
I'm wondering "ID=0".
 * Whole packet above were crafted?
 * patched kernel?

Have you tried traceroute to 157.130.91.153 and 24.229.129.72 from
130.179.134.23 and nmap probing with os fingerprint (or xprobe) to
157.130.91.153 and 24.229.129.72? If how many hops nearly equal 15
between 130.179.134.23 and 157.130.91.153, ICMP packet not include
[] quoted was real. If not, whole packet above were crafted by
someone. Can you reach to 24.229.129.72 from 130.179.134.23 with
regular packet?

-- 
Best Regards,
RainbowHat. I support FULL DISCLOSURE.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7