Full Disclosure mailing list archives

Re: Re: ICMP Destination Unreachable Port Unreachable

From: "Adriel T. Desautels" <simon () snosoft com>
Date: Wed, 16 Aug 2006 10:30:12 -0400

Also,
    I failed to mention that they came in bursts of 3 every 5 minutes on
the dot.

Adriel T. Desautels wrote:

Well,
    After over 100,000 alerts each with very different payloads the
traffic stopped. I do have a list of all of the dropped packets from my
firewall as well and it appears that it was hitting 3 IP addresses which
are public facing, not just one. The weird part, is that two of those
three aren't even live. So I think that this may have been noise from a
different attack...

    I'd be very interested in decoding the payloads for some of these.
Anyone here have any tools to do such a decode? I'd rather not do it
manual if at all possible.

Valdis.Kletnieks () vt edu wrote:

On Wed, 16 Aug 2006 12:33:13 BST, Barrie Dempster said:

Although the port 0 in this case is a red herring and irrelevant. Port 0
itself when used with TCP/UDP (not ICMP!) can actually be used on the
Internet. A while back I modified netcat and my linux kernel so that it would
allow usage of port 0 and was able to connect to a remote machine via TCP
with that port and communicate fine.

Of course, the poor security geek who see a TCP SYN from port 0 to port 0,
and then a SYN+ACK reply back, will be going WTF??!? for the rest of the day. :)

(Another good one to induce head-scratching is anything that does
RFC1644-style T/TCP.  Anytime you see a packet go by in one direction with
SYN/FIN *and* data, and the reply has SYN/ACK/FIN and data.. ;)
data on it... ;)
  
------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



-- 

Regards, 
    Adriel T. Desautels
    SNOsoft Research Team
    Office: 617-924-4510 || Mobile : 857-636-8882

    ----------------------------------------------
    Vulnerability Research and Exploit Development





BullGuard Anti-virus has scanned this e-mail and found it clean.
Try BullGuard for free: www.bullguard.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Re: ICMP Destination Unreachable Port Unreachable, (continued)
- - - Re: Re: ICMP Destination Unreachable Port Unreachable Dude VanWinkle (Aug 15)
    - Re: Re: ICMP Destination Unreachable Port Unreachable Darren Bounds (Aug 15)
    - Re: Re: ICMP Destination Unreachable Port Unreachable Scott Renna (Aug 15)
    - Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 15)
    - Re: Re: ICMP Destination Unreachable Port Unreachable Valdis . Kletnieks (Aug 15)
    - Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 15)
    - Re: Re: ICMP Destination Unreachable Port Unreachable Valdis . Kletnieks (Aug 15)
    - Re: Re: ICMP Destination Unreachable Port Unreachable Barrie Dempster (Aug 16)
    - Re: Re: ICMP Destination Unreachable Port Unreachable Valdis . Kletnieks (Aug 16)
    - Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 16)
    - Re: Re: ICMP Destination Unreachable Port Unreachable Adriel T. Desautels (Aug 16)