RE: big ICMP size

["Ofir Arkin" <ofir () itcon-ltd com>]

Okie Dokie.

This kind of behavior is similar to the behavior both HP-UX 10.30, 11.0x and
AIX 4.3.x produce after
a host tries to communicate with machines running these operating system.
It is a Path MTU Discovery process based on ICMP ECHO Requests.

Host -> Tagert (Running HP-UX 10.30/11.0x or AIX 4.3.x)

How does it work?
A. A host tries to communicate with one of those systems.
B. In Parallel (to answering the host) the targeted machine issues an ICMP
Echo request with its maximum MTU, and the DF bit set
C. If, along the way, from the targeted machine to the initiator the MTU
allowed is less than the one used, a router
    will issue an ICMP Error Message - Destination Unreachable, because
fragmentation was needed and the DF bit was set
    (not allowing the fragmentation).
D. The HPUX/AIX machine (which is now a prober), will use an MTU less than
the one used with the previous attempt, and initiate anotehr
     ICMP ECHO Request. This process will continue until an ICMP ECHO Reply
is received from the Host (originaly initiating the initial traffic).


You are claiming that you are receiving this behavior from a number of sites
in a distributed manner.

Identifier equals (0), and the Sequence Number is zero (0) which means this
is the first ICMP Echo request sent.

What you need to check is whether you communicated with all those hosts
which pinged you - first.
Than it could explain why you received such a traffic.

If not than some one is using this to mimic a behavior.
If you are interested in a tool which can do so than you can use ping:

[root@aik /root]# ping -s 1500 x.x.x.x
PING x.x.x.x (x.x.x.x) from y.y.y.y : 1500(1528) bytes of data.
1508 bytes from x.x.x.x: icmp_seq=0 ttl=241 time=1034.7 ms
1508 bytes from host_address (x.x.x.x): icmp_seq=2 ttl=241 time=1020.0 ms
1508 bytes from host_address (x.x.x.x): icmp_seq=3 ttl=241 time=1090.4 ms
1508 bytes from host_address (x.x.x.x): icmp_seq=5 ttl=241 time=1060.0 ms

--- x.x.x.x ping statistics ---
8 packets transmitted, 5 packets received, 37% packet loss
round-trip min/avg/max = 1000.2/1041.0/1090.4 ms
[root@aik /root]#

Or you can use SING - http://www.sourceforge.net/projects/sing

If you can provide more information about the other requests it may help.


Ofir Arkin  [ofir () itcon-ltd com]
Senior Security Analyst
Chief of Grey Hats
ITcon, Israel.
http://www.itcon-ltd.com

Personal Web page: http://www.sys-security.com

"Opinions expressed do not necessarily
represent the views of my employer."



-----Original Message-----
From: firewall-wizards-admin () nfr net
[mailto:firewall-wizards-admin () nfr net]On Behalf Of bugiu
Sent: Tuesday, October 03, 2000 1:30 AM
To: firewall-wizards () nfr net
Subject: [fw-wiz] big ICMP size


Hi admins ,

I have a distributed source attack with ICMP type 8 pack, size =1500 and
flag don't fragment set (DF) from a number of  8-10 sites.
The default policy discards this requests, but before contacting the
admins of this sites, do you know any similar reports or modified binary
that generates this type of traffic ?
here is a log extract of this activity :

-----------------------////////
Sep 21 11:00:20 iplist kernel: Packet log: input DENY eth0 PROTO=1
SS.SS.SS.SS:8 193.230.133.6:0 L=1500 S=0x00 I=36059 F=0x4000 T=233
-------------------------///////

11:38:03.748034 212.206.88.45 > bamse.osim.ro: icmp: echo request (DF)
(ttl 234, id 3266)
                         4500 05dc 0cc2 4000 ea01 0a76 SSSS SSSS
                         c1e6 8506 0800 f7ff 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000


any ideeas would be apreciated

gabi jipa



_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards