RE: ICMP Parameter Problem packets to random addresses

From: Fernando Cardoso (fernando.cardosoat_private)
Date: Tue Jun 19 2001 - 02:10:00 PDT

Next message: Nicolas Gregoire: "SYN FIN Scan with src port == dst port"

Previous message: Vitaly Osipov: "Re: UDP flood of one of my mashines"
In reply to: Russell Fulton: "ICMP Parameter Problem packets to random addresses"
Next in thread: Ofir Arkin: "RE: ICMP Parameter Problem packets to random addresses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Greetings All
> 		Periodically, over the last few months, I have been
> seeing bursts of ICMP Parameter Problem (type 12, code 0) like those
> below that were picked up by snort today:
>
> Jun 19 10:01:34 takahe snort[64968]: PING-ICMP Parameter Problem:
> 194.42.253.254 -> 130.216.186.122
[...]
> I have been assuming that this traffic is a fall out from a DoS
> lauched against 194.42.253.254 (or some host behind it if it is a
> router).  One thing that might cause this is ICMP packets that set
> random values to type and code fields in a flood attack.  I seem to
> remember that one of the common DoS Tools does just that.
>
> Any other thoughts?

I agree with your assumptions, but I don't recall any common DoS tool that
can cause that sort of behaviour. There's an obscure(?) DoS exploit for
Linux 2.2.x Kernel that works by flooding a box with ICMP random stuff.
Here's part of the relevant code:

	    icmph.iph.daddr = addrs.sin_addr.s_addr;
	    icmph.iph.frag_off = htons(0);
	    icmph.icp.icmp_type = random() % 14;
	    icmph.icp.icmp_code = random() % 10;
	    icmph.icp.icmp_cksum = 0;
	    icmph.icp.icmp_id = 2650;
	    icmph.icp.icmp_seq = random() % 255;
	    icmph.icp.icmp_cksum = in_cksum((int *)&icmph.icp, 1024);

If you are using -d option on snort you can check for what type of
pointer-error ICMP is giving.

Cheers

Fernando

--
Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso 6
Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
email : fernando.cardosoat_private     http://www.whatevernet.com/



_____________________________________________________________________
                      INTERNET MAIL FOOTER 
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------

Next message: Nicolas Gregoire: "SYN FIN Scan with src port == dst port"
Previous message: Vitaly Osipov: "Re: UDP flood of one of my mashines"
In reply to: Russell Fulton: "ICMP Parameter Problem packets to random addresses"
Next in thread: Ofir Arkin: "RE: ICMP Parameter Problem packets to random addresses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 16:14:33 PDT