Jose: See: http://sys-security.com/archive/securityfocus/icmptools.html Ofir Arkin (who seems to hang out a lot on the snort list..) has quite a bit to say about icmp usage for nefarious purposes. The description of his web site/business is: "Sys-Security.com is a web site dedicated to computer security research. It is the home of the "ICMP Usage In Scanning" research project." Also, snort seems to offer more information about the original packet payload; here's a sample from a thread ( http://www.incidents.org/archives/intrusions/msg01716.html ) that turned out to be an example of backscatter: forged "source" IP addresses that were originating in a DoS against an ISP in India back in September... > Sep 14 19:14:55 greatwall kernel: Packet log: input ACCEPT ppp0 PROTO=1 > 208.51.243.18:3 12.82.133.214:1 L=56 S=0x00 I=0 F=0x0000 T=242 (#49) > > 09/14-19:14:55.316850 208.51.243.18 -> 12.82.133.214 > ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56 > Type:3 Code:1 DESTINATION UNREACHABLE: HOST UNREACHABLE > > ** ORIGINAL DATAGRAM DUMP: > 12.82.133.214:38844 -> 202.46.194.5:16925 > TCP TTL:233 TOS:0x8 ID:40770 IpLen:20 DgmLen:40 > Seq: 0x81079A10 Ack: 0xB3444000 > ** END OF DUMP > 00 00 00 00 45 08 00 28 9F 42 40 00 E9 06 D4 28 ....E..(.B@....( > 0C 52 85 D6 CA 2E C2 05 97 BC 42 1D 81 07 9A 10 .R........B..... > (hmm.. Actually this is both ipchains and snort.) The point here is that the "ORIGINAL DATAGRAM DUMP" is forged. My firewall (allegedly at "12.82.133.214") *never* sends out tcp packets on port 38844... Do you have any comparable detail for the packets you're seeing? - John Jose Carlos Faial wrote: > Hi all, > > Today morning I start receiving a lot of ICMP packets from a host, > apparently in China (if the source address was not spoffed). The first > packet was: > > [2001-10-31 11:52:25] ICMP Destination Unreachable (Port Unreachable) > IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX > hlen=5 TOS=192 dlen=56 ID=37607 flags=0 offset=0 TTL=235 chksum=27228 > ICMP: type=Destination Unreachable code=Port Unreachable > checksum=39472 id= seq= > Payload: length = 32 > 000 : 00 00 00 00 45 00 00 4E F2 FE 00 00 68 11 8D DF ....E..N....h... > 010 : A3 BA 23 3C CB C1 3F 09 00 89 00 89 00 3A 61 80 ..#<..?......:a. > > following thousands of packets like this: > > [2001-10-31 12:42:10] ICMP Time-To-Live Exceeded in Transit > IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX > hlen=5 TOS=192 dlen=56 ID=49325 flags=0 offset=0 TTL=235 chksum=15510 > ICMP: type=Time Exceeded code=0 > checksum=48251 id= seq= > Payload: length = 32 > 000 : 00 00 00 00 45 00 00 74 4A A4 00 00 01 11 9D 13 ....E..tJ....... > 010 : A3 BA 23 3C CB C1 3F 0A 01 03 01 03 00 60 36 1E ..#<..?......`6. > > I know that this can be just legitimate ICMP traffic, but I have a bad > felling about this activity. I am sure that the target machine never > tried to connect to or to send any kind of packet to the 203.193.63.9 > machine, so ICMP Time-To-Live would not be expected. They are > "unsolicited" packets. > > My question is "Can a hacker forge an ICMP packet to bypass the firewall > and use its payload (payload data is different for each packet received) > to send data to a trojan (listening for ICMP traffic on the target > machine)? " > > Thanks to all. > > faial > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 31 2001 - 21:37:49 PST