Re: Survive without ICMP?

From: Vogulus (
Date: 05/20/04

Date: Thu, 20 May 2004 20:13:20 GMT

Purl Gurl <> wrote in

> Stalks wrote:
>> Purl Gurl wrote:
> (lots snipped)
>> > Our system does respond to Port 0 and does send ICMP packets.
>> What is your system? and do all ICMP rules apply to port 0 on this
>> system?
> Stalks, after reading so many articles on this, here and
> on the internet, I do not have a clue. Everything "assumed"
> has been tossed out my window, along with the wash and baby.
> Actually I was more tempted to toss my girl out a window
> when she became a teenager, but she is past that although
> I remain a teenager, and she is now the mother.
> Stalks, just briefly, we are fed a T1 broadband connection,
> an Orion modem, Linksys programmable router, three machines
> on our LAN, each a highly modified WIN32 system (Not NT)
> with Apache, a dns server and and an email server. Apache
> is on one machine. DNS and Email on another, supporting
> programs for my cgi applications, mostly databases, on
> the final machine.
> This week, I will be plugging in a Netscreen appliance and
> linking it to SNORT. This will sit between our modem
> and our router. That should really add some surprises!
> Seems a fairly typical system. I am leaning towards the
> Linksys router responding to port 0 requests. However,
> a timestamp ICMP did make it through to our hack testing.
> This suggests at least one of our machines responding
> to a port 0 probe with an ICMP packet. Might be our
> router stripped the port 0 reference allowing an ICMP
> request to be a multicast non-port specific request.
> However, one of our servers, either DNS or email, has
> a port 0 security feature, don't remember which. I will
> take a look later, although I think it is the DNS server.
> On Linksys responding, I believe this is the origin of
> the ICMP packet for a netmask. This makes sense because
> our router is netmasked for a single ip address on
> the T1 WAN system. Our internal LAN netmasking is
> multiple addresses, and this did not show in probes.
> To add confusion, each machine is netmasked for
> a single ip address ( which may
> also be the port 0 ICMP reponse.
> Hack probes for port 0 did yield ICMP packets.
> Your guess is good as any, Stalks. I have been rendered
> literally clueless on this.
>> May the ping be with you ....
> I told you to stop that!
> Purl Gurl


Is it your goal to troll the internet pulling statements out of your

I wish you'd get back to day trading... or running the casino. Whatever
you do.


Relevant Pages

  • Re: UDP port scan results
    ... "A router which sends ICMP Source Quench messages MUST be able to ... So, let's assume you want to scan 64K port, 10 packets a port to try ...
  • Re: ipfw-ntad-jail
    ... > Ok, so I setup IPFW and NATd on my freeBSD 4.5-RELEASE box, ... > host (dagobah) ... > allow ftp (port 21) ... > add 00600 allow icmp from any to any icmptypes 3 ...
  • Re: Survive without ICMP?
    ... ICMP resides above IP protocol, ... it receives a UDP or TCP packet on port 0 would be packets ... ICMP Type 3 Code 3 (Port unreachable). ... when it receives a TCP packet to a forbidden port which may ...
  • Re: Keine ICMP Replys mit NAT unter Windows 2003 Server SR2
    ... Windows wohl nichts anderes übrigbleiben als "Port and Address ... Protokollen wie ICMP, die keine Ports haben... ... Und wieso funktionierts dann bei uns allen? ... Port Address Translation extends the notion of translation one step ...
  • Re: nmap and icmp-replies
    ... Since UDP is stateless, it's the only way a stack can "tell" a port is closed/filtered. ... Even if you send a packet to an open UDP Port, depending on the protocol your scanner has to send a valid payload to get an answer. ... If your target sends ICMP Dest-Unrecheachables, ... You have an option to go with a managed service or an enterprise software. ...