Re: Should I be concerned about?

From: Blake Frantz (blakeat_private)
Date: Wed Oct 31 2001 - 10:31:41 PST

  • Next message: Antonio Vasconcelos: "RE: Should I be concerned about?"

    I'd start by sniffing the port to determin if your host is/isn't sending
    packets to any of the mentioned nets.  I appears you are already running
    snort -- snort has the capability to parse the payload of Destination
    Unreachable packets (the payload will be the header of the packet that
    caused the destination unreachable packet:RFC 792).  In the example below
    I ran snort 1.8.1 with the following command line:
    
    "snort -D -c /usr/local/snort/conf/snort.conf -d -e -A full"
    
    and got:
    
    [**] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
    10/30-10:16:08.150000 0:C0:7B:8E:22:85 -> 0:50:BA:85:72:FE type:0x800 len:0x46
    x.x.x.x -> a.a.a.a ICMP TTL:244 TOS:0x0 ID:49661 IpLen:20 DgmLen:56
    Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
    ** ORIGINAL DATAGRAM DUMP:
    x.x.x.x -> b.b.b.b ICMP TTL:232 TOS:0x6 ID:22452 IpLen:20 DgmLen:68
    ** END OF DUMP
    (payload removed)
    
    notice snort extracts the data from the payload (which I removed)
    
    In the case of a port uncreachable message snort will show the port info
    as well.
    
    -Blake
    
    On Wed, 31 Oct 2001, Jose Carlos Faial wrote:
    
    > Hi all,
    > 
    > 	Today morning I start receiving a lot of ICMP packets from a host, 
    > apparently in China (if the source address was not spoffed). The first 
    > packet was:
    > 
    > [2001-10-31 11:52:25]  ICMP Destination Unreachable (Port Unreachable)
    > IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX
    > hlen=5 TOS=192 dlen=56 ID=37607 flags=0 offset=0 TTL=235 chksum=27228
    > ICMP: type=Destination Unreachable code=Port Unreachable
    > checksum=39472 id= seq=
    > Payload:  length = 32
    > 000 : 00 00 00 00 45 00 00 4E F2 FE 00 00 68 11 8D DF   ....E..N....h...
    > 010 : A3 BA 23 3C CB C1 3F 09 00 89 00 89 00 3A 61 80   ..#<..?......:a.
    > 
    > 	following thousands of packets like this:
    > 
    > [2001-10-31 12:42:10]  ICMP Time-To-Live Exceeded in Transit
    > IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX
    > hlen=5 TOS=192 dlen=56 ID=49325 flags=0 offset=0 TTL=235 chksum=15510
    > ICMP: type=Time Exceeded code=0
    > checksum=48251 id= seq=
    > Payload:  length = 32
    > 000 : 00 00 00 00 45 00 00 74 4A A4 00 00 01 11 9D 13   ....E..tJ.......
    > 010 : A3 BA 23 3C CB C1 3F 0A 01 03 01 03 00 60 36 1E   ..#<..?......`6.
    > 
    > I know that this can be just legitimate ICMP traffic, but I have a bad 
    > felling about this activity. I am sure that the target machine never tried 
    > to connect to or to send any kind of packet to the 203.193.63.9 machine, so 
    > ICMP Time-To-Live would not be expected. They are "unsolicited" packets.
    > 
    > My question is "Can a hacker forge an ICMP packet to bypass the firewall 
    > and use its payload (payload data is different for each packet received) to 
    > send data to a trojan (listening for ICMP traffic on the target machine)? "
    > 
    > Thanks to all.
    > 
    > faial 
    > 
    > 
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    > 
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Oct 31 2001 - 10:36:03 PST