Security Incidents mailing list archives
Re: Spoofed ICMP "destination unreachable" - DOS?
From: sreid () SEA-TO-SKY NET (Steve Reid)
Date: Sat, 27 May 2000 22:41:16 -0700
On Mon, May 22, 2000 at 04:46:52PM -0400, Ken Eichman wrote:
In the past week I've seen at least 3 identical ICMP DOS attacks (?) involving 3 different ISPs. I'm not sure if they're attempted attacks, and if so, against my network or the ISP's.
It appears that the ISPs are being attacked, not you.
In each incident, random and mostly unassigned IP addresses in our address range are the listed recipients of ICMP type 3 (destination unreachable) packets. The listed source address of the traffic has always been a router at an ISP.
I believe it is normal for routers to send ICMP "host unreachable" packets. They have to be sent by routers, if they are to be sent at all. They can't be sent from the unreachable hosts for obvious reasons.
Here's a representative snoop of one of the packets - everything is actual info except for the addresses. 111.111.11.11 is the ISP's router, assumedly spoofed, and 222.222.222.2 is a local address.
[snip]
IP: Source address = 111.111.11.111, 111.111.11.111 IP: Destination address = 222.222.222.2, 222.222.222.2
[snip]
ICMP: Type = 3 (Destination unreachable) ICMP: Code = 1 (Bad host)
[snip]
ICMP:IP: Source address = 222.222.222.2, 222.222.222.2 ICMP:IP: Destination address = 333.333.33.333, 333.333.33.333
What's happening is someone is sending a packet claiming to be from 222.222.222.2, destined for 333.333.33.333. The address 333.333.33.333 is not reachable. The last router to handle the packet, 111.111.11.111, realizes it can't send the packet to the requested destination and returns an ICMP "host unreachable" packet back to the alleged source (222.222.222.2). There's two packets being transmitted here: One, from the attacker claiming to be 222.222.222.2 to the victim ISP (333.333.33.333, but the packet can only get as far as 111.111.11.111). The second, a "host unreachable" from the victim ISP (111.111.11.111) back to the alleged source address (222.222.222.2). The second packets are what you are seeing. What you are seeing is not an attack, but merely the responses to some of the useless packets that are bombarding the ISP. Most likely the attacker is off at some unknown address forging packets claiming to be from 222.222.222.2. The other possibility is that 222.222.222.2 is a compromised host participating in the attack against the 111.111.11.111/333.333.33.333 network; not likely if 222.222.222.2 is unassigned.
Current thread:
- Spoofed ICMP "destination unreachable" - DOS? Ken Eichman (May 22)
- Microsoft version.binding us now? Bill Marquette (May 26)
- New DoS attack Jeff Calvert (May 28)
- Re: Microsoft version.binding us now? Erich Meier (May 29)
- Re: Spoofed ICMP Richard Bejtlich (May 27)
- Re: Spoofed ICMP "destination unreachable" - DOS? Steve Reid (May 27)
- <Possible follow-ups>
- Re: Spoofed ICMP "destination unreachable" - DOS? Aussie (May 24)
- ICMP attack in progress? Lic. Rodolfo Gonzalez Gonzalez (May 25)
- Re: ICMP attack in progress? Crist J. Clark (May 25)
- Re: ICMP attack in progress? Jason Storm (May 26)
- afs3 exploit?? elijah wright (May 25)
- Strange Happenings @Home Fred Hirsch (May 30)
- AMDROCKS Jim Williams (May 25)
- Attacks on port 25 Vincent Lim (May 25)
- Re: Attacks on port 25 Ryan Russell (May 26)
- Re: Attacks on port 25 Bill Lavalette (May 28)
- ICMP attack in progress? Lic. Rodolfo Gonzalez Gonzalez (May 25)
- Microsoft version.binding us now? Bill Marquette (May 26)