Re: Host Unreachable Scan

From: Ian Jones (ian@dsl081-056-052.dsl-isp.net)
Date: Thu Jul 19 2001 - 20:25:13 PDT

  • Next message: fuzzz: "RE: Jetdirect card Attack???"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    > The interesting part is that there was a massive amount of destination
    > unreachable traffic coming into the network with NO originating
    > echo-request.  Let me rephrase...  I looked at one of the addresses that
    > was sending dest-unreachable packets... there was no originating or
    > corresponding echo-request to that IP address.  For that matter, there
    > was no traffic initiated on my side to that address whatsoever.
    > 
    > The question now becomes... what exposure does this give me?  What can be
    > gleaned from and ICMP dest-unreachable request?  Are you able to map my
    > entire network using this technique?  Enumeration only?  Is there a
    > vulnerability out there using this technique?
    
    It makes sense to assume that your IP address was used as a decoy in a scan
    using spoofed addresses. The target of the scan returned the error to the
    address that it thinks was the originator.
    
    An icmp error can't be used in a scan because a host/router is not supposed
    to respond to an ICMP error message.
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
    Comment: Making the world safe for geeks.
    
    iQA/AwUBO1eklsAVSpfzXItKEQI7OACgreMygmXqb6gVs3S2a3RqsVrTIQkAoJYg
    TQR3n2icRg772qnIHfAx7+v+
    =TRS2
    -----END PGP SIGNATURE-----
    
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 23:32:06 PDT