Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: ICMP Destination Unreachable Port Unreachable
From: "Adriel T. Desautels" <simon () snosoft com>
Date: Tue, 15 Aug 2006 20:22:41 -0400

Darren,
    My responses are below:

Darren Bounds wrote:
I'm confused about a couple things:

1) You say you knew the nature of the packet yet in your original message
you stated "Neither the source IP or the target IP have any ports
associated
with them in this event. Any ideas would be appreciated.".
I wasn't very clear was I, my apologies again. I understand that ICMP
packets
have no port per-sae. The ideas that I was interested in were with
regards to
the payload of the packets. In the same email I also mention that I
haven't looked
through this very extensively, I was crammed with other work. ;]

- The packet you dumped was an ICMP port unreachable. There will never
be a
port associated with an ICMP packet.
right.
- ICMP unreachable messages contain a payload with the IP header of the
packet generating the error and at least 64 bits (8 bytes) of original
data
datagram. There are ports associated with UDP and therefore inspection of
the embedded UDP packet tells you quite a bit. i.e. It was using ports
16229
and 2597 as source and destination.
Right, someone said the same thing earlier (maybe it was you). I've
taken the l
iberty of blocking "any" traffic going to all of the IP addresses which
are involved
in this particular incident. Likewise I've also blocked "any" traffic
for those IP
addresses going to the affected network. Yet, the traffic keeps coming
to the
affected network.

I did run a sniffer for a while and I saw no traffic leaving the
affected network
headed for the IP addresses in question, yet they continue to send traffic
back to the affected network.

The two IP addresses are in Amsterdam and they are still sending the ICMP
packets with the interesting payloads. I'm wondering if anyone can identify
what generated those payloads. Has anyone seen similar payloads before?

The two offending IP's are:

    81.99.46.113
 and
    82.246.252.214
 

2) You * out the first 3 octets of the destination IP address in the
event
but leave the IP address in the ICMP payload (70.91.131.49). Why? \
Force of habit. ;]



-- 

Thanks,
Darren Bounds

On 8/15/06, Adriel T. Desautels <simon () snosoft com> wrote:

Darren,
   I did notice what type of packet it was and I also know what the
packet signifies. The issue that I am having is that there has never
been any outbound UDP activity to the host that is replying to this
network. The payloads of the ICMP packets are a bit weird too,
containing either X'es or |'s or encoded strings. What I am trying to
figure out is if anyone here recognizes these types of payloads and
knows what could be generating them?

so just to be clear...

I want info about the payload not about ICMP!





-- 

Regards, 
    Adriel T. Desautels
    SNOsoft Research Team
    Office: 617-924-4510 || Mobile : 857-636-8882

    ----------------------------------------------
    Vulnerability Research and Exploit Development





BullGuard Anti-virus has scanned this e-mail and found it clean.
Try BullGuard for free: www.bullguard.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault