RE: ICMP Parameter Problem packets to random addresses

From: Ofir Arkin (ofir@sys-security.com)
Date: Tue Jun 19 2001 - 20:04:21 PDT

Next message: Doc Savage: "RE: What is up with i.gtld-servers.net?"

Previous message: Gary Maltzen: "Re: Huge outgoing ICMP flows"
In reply to: Russell Fulton: "ICMP Parameter Problem packets to random addresses"
Next in thread: Jeff Kell: "Re: ICMP Parameter Problem packets to random addresses"
Reply: Jeff Kell: "Re: ICMP Parameter Problem packets to random addresses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Russell,

This can also be a chain reaction for a decoy scan attempt using IPs from
your network, when scanning the target 194.42.253.254

Eliciting an ICMP Parameter Problem from the targeted host is not so
trivial.
I have written about this in my research paper "ICMP Usage In Scanning" that
can be downloaded from:

http://www.sys-security.com/archive/papers/ICMP_Scanning_v3.0.zip
The file size is ~ 1.75mb when zipped

http://www.sys-security.com/archive/papers/ICMP_Scanning_v3.0.pdf
The file size is ~ 5.39mb.

If you have the entire packet dump you can look and see what is the
offending packet that caused the error. It's IP header and at least 8 bytes
from the packet that caused the error should be echoed with the ICMP Error
message. If not - This is forged.

I would guess it will be the same packet or forged.

If this is just forged ICMP Parameter Problem error messages for Denial of
Service than the offending packet echoed inside the ICMP error message might
not have a field inside the IP header that actually cause the error.

Cheers Mate

Ofir Arkin [ofir@sys-security.com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA



-----Original Message-----
From: r.fultonat_private [mailto:r.fultonat_private]
Sent: Monday, June 18, 2001 5:22 PM
To: incidentsat_private
Subject: ICMP Parameter Problem packets to random addresses


Greetings All
		Periodically, over the last few months, I have been
seeing bursts of ICMP Parameter Problem (type 12, code 0) like those
below that were picked up by snort today:

Jun 19 10:01:34 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.186.122
Jun 19 10:02:50 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.14.27
Jun 19 10:05:40 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.74.94
Jun 19 10:07:38 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.96.37
Jun 19 10:08:58 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.132.107
Jun 19 10:11:26 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.164.3
Jun 19 10:22:24 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.138.66
Jun 19 10:23:08 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.140.43
Jun 19 10:23:52 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.145.97
Jun 19 10:32:34 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.114.1
Jun 19 10:50:47 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.187.73
Jun 19 11:01:19 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.194.11
Jun 19 11:14:26 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.62.75
Jun 19 11:16:22 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.211.108
Jun 19 11:25:06 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.232.56
Jun 19 11:26:42 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.178.94
Jun 19 11:43:36 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.194.12
Jun 19 11:44:24 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.234.34
Jun 19 11:52:17 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.119.15
Jun 19 11:54:53 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.162.31
Jun 19 11:59:44 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.78.101
Jun 19 12:01:27 takahe snort[64968]: PING-ICMP Parameter Problem:
194.42.253.254 -> 130.216.130.7

The destination addresses appear to be random addresses in our /16
address space.  The burst last for varying lengths of time (anything
from a few hours to a few days).

I have been assuming that this traffic is a fall out from a DoS
lauched against 194.42.253.254 (or some host behind it if it is a
router).  One thing that might cause this is ICMP packets that set
random values to type and code fields in a flood attack.  I seem to
remember that one of the common DoS Tools does just that.

Any other thoughts?

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

Next message: Doc Savage: "RE: What is up with i.gtld-servers.net?"
Previous message: Gary Maltzen: "Re: Huge outgoing ICMP flows"
In reply to: Russell Fulton: "ICMP Parameter Problem packets to random addresses"
Next in thread: Jeff Kell: "Re: ICMP Parameter Problem packets to random addresses"
Reply: Jeff Kell: "Re: ICMP Parameter Problem packets to random addresses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 16:39:04 PDT