Re: ICMP type 3, an attack?

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 02/11/02

Next message: TCF Cranendonk: "iptables forwarding"

Previous message: Jerzy Wolinski: "Re: ftp & ipchains: using the chains approach this time"
In reply to: RainbowHat: "Re: ICMP type 3, an attack?"
Next in thread: Jem Berkes: "Re: ICMP type 3, an attack?"
Next in thread: RainbowHat: "Re: ICMP type 3, an attack?"
Reply: Jem Berkes: "Re: ICMP type 3, an attack?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Mon, 11 Feb 2002 09:52:37 +0000 (UTC)

< RainbowHat
8<
>x.x.x.x:26344 WINDOW=0, TCP flags NULL?, spoofed SRC=130.179.134.23
> | 3hops
> V
>157.130.91.153:ICMP3,1[] ID=0
> | .
> | 15hops V
> | 24.229.129.72:28051 unreached
> V
>130.179.134.23:ICMP
>
>157.130.91.153 was sitting between x.x.x.x and 24.229.129.72.
>The x.x.x.x spoofed SRC=130.179.134.23 because how many hops wasn't
>symmetry (3 : 15 hops).
>If there were not crafted and my passive fingerprint DB is not too
>obsolete. AFAIK Solaris or Linux reply ICMP [] quoted error message.
> 157.130.91.153 : Cisco IOS, Solaris or Linux
> x.x.x.x : Solaris or compromised Solaris (dtspcd exploit?)

If 157.130.91.153 is Cisco 12000 series router, the offender attacked
router. They known that 24.229.129.72 don't exist. They flooded spoofed
SRC TCP packets to non-existed host 24.229.129.72 sitting 3 hops away
from 157.130.91.153. Jem and ujay observed ICMP backscatter traffic.

http://www.cisco.com/warp/public/707/GSR-unreachables-pub.shtml

|The performance of Cisco 12000 series routers can be degraded when
|they have to send a large number of ICMP Unreachable packets....
|the processing of the replies can saturate the CPU....Exploitation of
|this vulnerabilities may lead to the Denial-of-Service. The router's
|performance will degrade and, in the worst case scenario, the router
|will stop forwarding packets.

-- 
Best Regards,
RainbowHat. I support FULL DISCLOSURE.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7

Next message: TCF Cranendonk: "iptables forwarding"
Previous message: Jerzy Wolinski: "Re: ftp & ipchains: using the chains approach this time"
In reply to: RainbowHat: "Re: ICMP type 3, an attack?"
Next in thread: Jem Berkes: "Re: ICMP type 3, an attack?"
Next in thread: RainbowHat: "Re: ICMP type 3, an attack?"
Reply: Jem Berkes: "Re: ICMP type 3, an attack?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Cisco Systems releases its bad boy ARS 9000 Router in China
... China Telecom Selects Cisco ASR 9000 Series Router as the Foundation to Support Its "Triple-Play" Strategy ... Cisco -- China Telecom, the largest fixed line and third largest mobile telecommunications service provider in China, announced today that it is deploying the Cisco Aggregation Services Router 9000 Series in multiple regions of China to support its "triple-play" strategy and meet the increasing demand of users for new services. ... Initially, the Cisco ASR 9000 routers will be deployed in China's developed coastal regions, including Shanghai, Fujian, and Guangdong, to provide the new converged services including IPTV and VPN for users. ...
(misc.invest.stocks)
SNA Over Ethernet across Internet Link
... I currently have a Cisco 2500 series router that supports a serial ... connection on a point to point circuit. ... different available options and had settled on a STUN solution. ... Cisco router ports. ...
(comp.dcom.sys.cisco)
Re: Password Recovery for CISCO 836
... You may wish to investigate Cisco ROMmon Recovery Procedures. ... The setting of the virtual configuration register forces the router ... Cisco 1000 Series Router ...
(comp.dcom.sys.cisco)
VPN nightmare
... I've been trying to get a Cisco 800 series router to manage a VPN ... Does the group policy name have to be a user group in Windows Server ...
(microsoft.public.windowsxp.work_remotely)