Some interesting traffic came through my firewall today. We allow the following ICMP traffic: outbound echo-request inbound echo-reply inbound dest-unreachable inbound time-exceeded inbound The interesting part is that there was a massive amount of destination unreachable traffic coming into the network with NO originating echo-request. Let me rephrase... I looked at one of the addresses that was sending dest-unreachable packets... there was no originating or corresponding echo-request to that IP address. For that matter, there was no traffic initiated on my side to that address whatsoever. The question now becomes... what exposure does this give me? What can be gleaned from and ICMP dest-unreachable request? Are you able to map my entire network using this technique? Enumeration only? Is there a vulnerability out there using this technique? -Toby Penn ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 20:10:55 PDT