Re: Should I be concerned about?

From: John Sage (jsageat_private)
Date: Wed Oct 31 2001 - 19:21:32 PST


Jose:

See:

http://sys-security.com/archive/securityfocus/icmptools.html

Ofir Arkin (who seems to hang out a lot on the snort list..) has quite a 
bit to say about icmp usage for nefarious purposes.

The description of his web site/business is:

"Sys-Security.com is a web site dedicated to computer security research. 
It is the home of the "ICMP Usage In Scanning" research project."


Also, snort seems to offer more information about the original packet 
payload; here's a sample from a thread ( 
http://www.incidents.org/archives/intrusions/msg01716.html )
that turned out to be an example of backscatter: forged "source" IP 
addresses that were originating in a DoS against an ISP in India back in 
September...


> Sep 14 19:14:55 greatwall kernel: Packet log: input ACCEPT ppp0 PROTO=1
>   208.51.243.18:3 12.82.133.214:1 L=56 S=0x00 I=0 F=0x0000 T=242 (#49)
> 
> 09/14-19:14:55.316850 208.51.243.18 -> 12.82.133.214
> ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56
> Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
> 
> ** ORIGINAL DATAGRAM DUMP:
> 12.82.133.214:38844 -> 202.46.194.5:16925
> TCP TTL:233 TOS:0x8 ID:40770 IpLen:20 DgmLen:40
> Seq: 0x81079A10  Ack: 0xB3444000
> ** END OF DUMP
> 00 00 00 00 45 08 00 28 9F 42 40 00 E9 06 D4 28  ....E..(.B@....(
> 0C 52 85 D6 CA 2E C2 05 97 BC 42 1D 81 07 9A 10  .R........B.....
> 

(hmm.. Actually this is both ipchains and snort.) The point here is that 
the "ORIGINAL DATAGRAM DUMP" is forged. My firewall (allegedly at 
"12.82.133.214") *never* sends out tcp packets on port 38844...

Do you have any comparable detail for the packets you're seeing?

- John



Jose Carlos Faial wrote:

> Hi all,
> 
>     Today morning I start receiving a lot of ICMP packets from a host, 
> apparently in China (if the source address was not spoffed). The first 
> packet was:
> 
> [2001-10-31 11:52:25]  ICMP Destination Unreachable (Port Unreachable)
> IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX
> hlen=5 TOS=192 dlen=56 ID=37607 flags=0 offset=0 TTL=235 chksum=27228
> ICMP: type=Destination Unreachable code=Port Unreachable
> checksum=39472 id= seq=
> Payload:  length = 32
> 000 : 00 00 00 00 45 00 00 4E F2 FE 00 00 68 11 8D DF   ....E..N....h...
> 010 : A3 BA 23 3C CB C1 3F 09 00 89 00 89 00 3A 61 80   ..#<..?......:a.
> 
>     following thousands of packets like this:
> 
> [2001-10-31 12:42:10]  ICMP Time-To-Live Exceeded in Transit
> IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX
> hlen=5 TOS=192 dlen=56 ID=49325 flags=0 offset=0 TTL=235 chksum=15510
> ICMP: type=Time Exceeded code=0
> checksum=48251 id= seq=
> Payload:  length = 32
> 000 : 00 00 00 00 45 00 00 74 4A A4 00 00 01 11 9D 13   ....E..tJ.......
> 010 : A3 BA 23 3C CB C1 3F 0A 01 03 01 03 00 60 36 1E   ..#<..?......`6.
> 
> I know that this can be just legitimate ICMP traffic, but I have a bad 
> felling about this activity. I am sure that the target machine never 
> tried to connect to or to send any kind of packet to the 203.193.63.9 
> machine, so ICMP Time-To-Live would not be expected. They are 
> "unsolicited" packets.
> 
> My question is "Can a hacker forge an ICMP packet to bypass the firewall 
> and use its payload (payload data is different for each packet received) 
> to send data to a trojan (listening for ICMP traffic on the target 
> machine)? "
> 
> Thanks to all.
> 
> faial
> 




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



This archive was generated by hypermail 2b30 : Wed Oct 31 2001 - 21:37:49 PST