-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In message <200010051350.JAA09245_at_obelix.dgrc.crc.ca>, Donald McLachlan writes:
>As you say the ICMP message includes the IP header of the packet which could
>not be delivered.
>3) Look at the IP header of the included packet. If the TTL is close to
> (within 1 or 2 of) one of the default initial TTLs (255, 128, 64, 32)
> you can be pretty sure that the host spoofing your addresses is behind
> that border router.
There's a simpler and better indicator: check to see if the source
of the ICMP packet is between the destination of the ICMP packet and
the `unreachable' host. If this isn't the case, it's a pretty good
bet that the actual origin of the original traffic is behind the ICMP source.
>P.S. Now that I've said how we can detect them, I bet they modify the
> stimulus packets. :-(
It seems unlikely. There are much more brittle testing criteria which
are much better documented and widely used---i.e., snort signature
collections. Although most of these (signatures in general, not snort's
in particular) are fairly trivially defeatable, the tools don't seem
to mutate very frequently[0].
- -Steve
- -----
0 Compared to, for example, virii.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE54iIOG3kIaxeRZl8RAk7mAKD8E5l+l9guuRORYSPVbfLZDb9c8wCfT2ud
H5f0eBUle0tCU0fvpHs4RKk=
=yO58
-----END PGP SIGNATURE-----
Received on Oct 10 2000
Intro
