Security Incidents: Re: Should I be concerned about?

[Blake Frantz <blake () mc net>]

I'd start by sniffing the port to determin if your host is/isn't sending
packets to any of the mentioned nets.  I appears you are already running
snort -- snort has the capability to parse the payload of Destination
Unreachable packets (the payload will be the header of the packet that
caused the destination unreachable packet:RFC 792).  In the example below
I ran snort 1.8.1 with the following command line:

"snort -D -c /usr/local/snort/conf/snort.conf -d -e -A full"

and got:

[**] ICMP Destination Unreachable (Communication Administratively Prohibited) [**]
10/30-10:16:08.150000 0:C0:7B:8E:22:85 -> 0:50:BA:85:72:FE type:0x800 len:0x46
x.x.x.x -> a.a.a.a ICMP TTL:244 TOS:0x0 ID:49661 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
x.x.x.x -> b.b.b.b ICMP TTL:232 TOS:0x6 ID:22452 IpLen:20 DgmLen:68
** END OF DUMP
(payload removed)

notice snort extracts the data from the payload (which I removed)

In the case of a port uncreachable message snort will show the port info
as well.

-Blake

On Wed, 31 Oct 2001, Jose Carlos Faial wrote:

> Hi all,
>
>       Today morning I start receiving a lot of ICMP packets from a host, 
> apparently in China (if the source address was not spoffed). The first 
> packet was:
>
> [2001-10-31 11:52:25]  ICMP Destination Unreachable (Port Unreachable)
> IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX
> hlen=5 TOS=192 dlen=56 ID=37607 flags=0 offset=0 TTL=235 chksum=27228
> ICMP: type=Destination Unreachable code=Port Unreachable
> checksum=39472 id= seq=
> Payload:  length = 32
> 000 : 00 00 00 00 45 00 00 4E F2 FE 00 00 68 11 8D DF   ....E..N....h...
> 010 : A3 BA 23 3C CB C1 3F 09 00 89 00 89 00 3A 61 80   ..#<..?......:a.
>
>       following thousands of packets like this:
>
> [2001-10-31 12:42:10]  ICMP Time-To-Live Exceeded in Transit
> IPv4: 203.193.63.9 -> XXX.XXX.XXX.XXX
> hlen=5 TOS=192 dlen=56 ID=49325 flags=0 offset=0 TTL=235 chksum=15510
> ICMP: type=Time Exceeded code=0
> checksum=48251 id= seq=
> Payload:  length = 32
> 000 : 00 00 00 00 45 00 00 74 4A A4 00 00 01 11 9D 13   ....E..tJ.......
> 010 : A3 BA 23 3C CB C1 3F 0A 01 03 01 03 00 60 36 1E   ..#<..?......`6.
>
> I know that this can be just legitimate ICMP traffic, but I have a bad 
> felling about this activity. I am sure that the target machine never tried 
> to connect to or to send any kind of packet to the 203.193.63.9 machine, so 
> ICMP Time-To-Live would not be expected. They are "unsolicited" packets.
>
> My question is "Can a hacker forge an ICMP packet to bypass the firewall 
> and use its payload (payload data is different for each packet received) to 
> send data to a trojan (listening for ICMP traffic on the target machine)? "
>
> Thanks to all.
>
> faial 
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com