Re: unexpected ICMP host unreachable - no worries?
From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)Date: 03/28/02
- Next message: Arnoud Smit: "SSH not closing after script exit"
- Previous message: Tim Tassonis: "Re: ssh 1.2.1 Root compromise"
- In reply to: The Ambivalent DMZ: "unexpected ICMP host unreachable - no worries?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid> Date: Thu, 28 Mar 2002 11:46:27 +0000 (UTC)
< The Ambivalent DMZ
8<
>SRC=204.255.169.17 DST=(my host) LEN=56 TOS=0x00 PREC=0x00 TTL=242 ID=0
>PROTO=ICMP TYPE=3 CODE=1 [SRC=(my host) DST=(a target?) LEN=40 TOS=0x00
>PREC=0x00 TTL=27 ID=22372 PROTO=TCP INCOMPLETE [8 bytes] ]
8<
>What I'm guessing is that this is nothing more than me picking up the
>background from large attacks bounced off these routers and I'm getting
>occasional fallout when the target goes down and a packet with a random
>spoofed source address happens to coincide with that of one of my machines.
I'm not seeing this at the moment but we have discussed about it at
this February. More details are <http://groups.google.com/> this NG
thread subject "ICMP type 3, an attack?". Here is my summary.
1) Backscatter of router DoS attack
2) Covert channel to control distributed scanner|attacker
3) any other suggestions?
1) Backscatter of router DoS attack
If 204.255.169.17 is Cisco 12000 series router, the offender attacked
the router. They known that 'a target?' don't exist. They flooded
spoofed SRC TCP packets to non-existed host 'a target?' sitting 5 hops
away from 204.255.169.17. You observed ICMP backscatter traffic.
http://www.cisco.com/warp/public/707/GSR-unreachables-pub.shtml
|The performance of Cisco 12000 series routers can be degraded when
|they have to send a large number of ICMP Unreachable packets....
|the processing of the replies can saturate the CPU....Exploitation of
|this vulnerabilities may lead to the Denial-of-Service. The router's
|performance will degrade and, in the worst case scenario, the router
|will stop forwarding packets.
2) Covert channel to control distributed scanner|attacker
I'm guessing this packet is remote controlling command to distributed
scanner|attacker mimic usual ICMP3-1 packet.
Trend of DDoS agents communicate to master using IRC protocol but clean
`netstat` command easily detect established TCP IRC port. Classical DDoS
agents used ICMP echo reply like TFN 1999 by Mixter. If filter out ICMP
0, it only affect ping application. Most stateless firewall pass through
ICMP destination unreachable packet and not log usually. If filter out,
regular ICMP 3 packets will un-reach and affect many applications using
network. If you are using stateful firewall don't worry. But an admin
who are not careful think ICMP backscatter traffic and think not so
important for me and ignore it if they see this logs (offender used
social engineering). The advantage of ICMP protocol is that it can
broadcast to send command. And the pattern oriented NetworkIDS like
`snort` can't divide (detect) regular ICMP3 and imitated ICMP3.
I make a hypothesis that this log is imitated regular ICMP destination
unreachable packet. This packet is Cooperated Distributed Scan or DDoS
controlling command from master to agents. Quoted [] part is a subliminal
command and specify scanning pattern or attack pattern. And perhaps there
are another stegographic (hides messages inside of messages, hiding data
in other data) encrypted items and trigger. The purpose of offender is to
transmit command to agents and masqueraded as normal ICMP traffic (covert
data tunneling). I guess this is a more sophisticated variant of TFN.
The sleep time for scrambling incidents handling. The incidents handler
easily relate that outgoing scan or outbound flood packets after detect
incoming ICMP destination unreachable packet. But sleeping after incoming
ICMP 3, they relate this difficult. Maybe SPT, DPT or ID fields are sleep
time parameter.
I guess [... SYN ACK ...] mean type of TCP flags for flood or scan and
TOS field mean type of protocol for flood or scan.
example of TFN : ICMP flood, SYN flood, UDP flood, and Smurf
[master] broadcast spoofed ICMP3 packets (command to agents)
|
V
[agent], [agent],... watch ICMP3 packet
| send flood packets or scan after sleep
|
V
[target]
-- Best Regards, RainbowHat. I support FULL DISCLOSURE. ----+----1----+----2----+----3----+----4----+----5----+----6----+----7
- Next message: Arnoud Smit: "SSH not closing after script exit"
- Previous message: Tim Tassonis: "Re: ssh 1.2.1 Root compromise"
- In reply to: The Ambivalent DMZ: "unexpected ICMP host unreachable - no worries?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
