Security Incidents mailing list archives

Re: RE: ICMP Parameter Problem packets to random addresses

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Wed, 20 Jun 2001 11:03:02 +1200 (NZST)


G'day Ofir,

On Tue, 19 Jun 2001 20:04:21 -0700 Ofir Arkin <ofir () sys-security com> 
wrote:

Russell,

This can also be a chain reaction for a decoy scan attempt using IPs from
your network, when scanning the target 194.42.253.254


That I had not thought of, although in this case since the destination 
addresses seem to be random I doubt if these are caused by decoys. So 
far as I am aware most decoy scans use a fixed set of decoy addresses 
(well nmap does -- does anyone use anything else ;-)


Eliciting an ICMP Parameter Problem from the targeted host is not so
trivial.
I have written about this in my research paper "ICMP Usage In Scanning" that
can be downloaded from:

http://www.sys-security.com/archive/papers/ICMP_Scanning_v3.0.zip
The file size is ~ 1.75mb when zipped

http://www.sys-security.com/archive/papers/ICMP_Scanning_v3.0.pdf
The file size is ~ 5.39mb.


Yes, I am aware of your papers, but confess that I have not yet made 
the time to study them in depth that they deserve.  sigh...


If you have the entire packet dump you can look and see what is the
offending packet that caused the error. It's IP header and at least 8 bytes
from the packet that caused the error should be echoed with the ICMP Error
message. If not - This is forged.



I should have thought of looking at the packets in more detail myself,  
doh!

Tcpshow:
TIME:   05:01:36.750244 (03:35:35.878897)
  IP:   194.42.253.254 -> 130.216.188.105 hlen=20 TOS=00 dgramlen=60 
id=983D
        MF/DF=0/0 frag=0 TTL=232 proto=ICMP cksum=3B18
ICMP:   parameter-problem because IP-header-bad cksum=62C5
DATA:   ....F..H.......o...i..$..*..XrM`7...

tcpdump

05:01:36.750244 194.42.253.254 > 130.216.188.105: icmp: parameter 
problem - octet 20
0x0000   4500 003c 983d 0000 e801 3b18 c22a fdfe        E..<.=....;..*..
0x0010   82d8 bc69 0c00 62c5 1400 0000 46d6 0048        ...i..b.....F..H
0x0020   bb96 0000 cecc b76f 82d8 bc69 c0a8 2404        .......o...i..$.
0x0030   9f2a b3f4 5872 4d60 37d3 9f94                  .*..XrM`7...

Hmmm... so it is complaining that the original packets had invalid 
checksum. Decoding the 'data' give orginal destination address 
192.168.36.4 and source of 130.216.165.85.  THe rest of the data in the 
header seems to be garbage.  Examining other packets in the stream
yeild similar results, the only constants are the original source 
address is in 130.216/16 and the original destination is in 
192.168.36.4.  The rest of the header varies randomly.

It would appear that 194.42.253.254 (which is probably a router) is 
receiving a stream of packet with random garbage headers which are 
addressed to 192.168.36.4

I have appended tcpdump of a few more packets to show the random nature 
of the orginal headers.

Cheers, Russell.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

01:26:00.871347 194.42.253.254 > 130.216.33.79: icmp: parameter problem 
- octet 20
0x0000   4500 004c 4024 0000 e801 2e3c c22a fdfe        E..L@$.....<.*..
0x0010   82d8 214f 0c00 7519 1400 0000 4ab5 047d        ..!O..u.....J..}
0x0020   eff9 0000 0bad e73c 82d8 214f c0a8 240d        .......<..!O..$.
0x0030   c169 dd5f 2f6e 6fca 5739 9d86 aac4 9253        .i._/no.W9.....S
0x0040   a1ec 3345 0585 fab8 0ab0 5ff8                  ..3E......_.
05:01:36.750244 194.42.253.254 > 130.216.188.105: icmp: parameter 
problem - octet 20
0x0000   4500 003c 983d 0000 e801 3b18 c22a fdfe        E..<.=....;..*..
0x0010   82d8 bc69 0c00 62c5 1400 0000 46d6 0048        ...i..b.....F..H
0x0020   bb96 0000 cecc b76f 82d8 bc69 c0a8 2404        .......o...i..$.
0x0030   9f2a b3f4 5872 4d60 37d3 9f94                  .*..XrM`7...
05:02:15.317992 194.42.253.254 > 130.216.37.113: icmp: parameter 
problem - octet 20
0x0000   4500 0044 cbb9 0000 e801 9e8c c22a fdfe        E..D.........*..
0x0010   82d8 2571 0c00 eb03 1400 0000 4873 04ad        ..%q........Hs..
0x0020   d361 0000 9b54 a99a 82d8 2571 c0a8 2404        .a...T....%q..$.
0x0030   c521 b936 40ea 4d4d 7139 8fce a14f 8cdb        .!.6@.MMq9...O..
0x0040   7d7c 4954                                      }|IT
05:04:04.299488 194.42.253.254 > 130.216.57.94: icmp: parameter problem 
- octet 20
0x0000   4500 0054 69d4 0000 e801 ec74 c22a fdfe        E..Ti......t.*..
0x0010   82d8 395e 0c00 f1bb 1400 0000 4cbb 043d        ..9^........L..=
0x0020   87d5 0000 3522 b43e 82d8 395e c0a8 2404        ....5".>..9^..$.
0x0030   9c57 245e 5d7d 9159 de58 789f 67cb 2bdd        .W$^]}.Y.Xx.g.+.
0x0040   68c0 7668 99ac 9e4b 8a8e 6110 0fcd 4901        h.vh...K..a...I.
0x0050   5069 450c                                      PiE.

Current thread:

ICMP Parameter Problem packets to random addresses Russell Fulton (Jun 18)
- RE: ICMP Parameter Problem packets to random addresses Fernando Cardoso (Jun 19)
- RE: ICMP Parameter Problem packets to random addresses Ofir Arkin (Jun 19)
  - Re: RE: ICMP Parameter Problem packets to random addresses Russell Fulton (Jun 19)
  - Re: ICMP Parameter Problem packets to random addresses Jeff Kell (Jun 19)
    - Re: ICMP Parameter Problem packets to random addresses Tim Winders (Jun 20)