OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Full-disclosure] Re: ICMP Destination Unreachable Port Unreachable

From: Adriel T. Desautels (simonsnosoft.com)
Date: Wed Aug 16 2006 - 09:22:35 CDT


Well,
    After over 100,000 alerts each with very different payloads the
traffic stopped. I do have a list of all of the dropped packets from my
firewall as well and it appears that it was hitting 3 IP addresses which
are public facing, not just one. The weird part, is that two of those
three aren't even live. So I think that this may have been noise from a
different attack...

    I'd be very interested in decoding the payloads for some of these.
Anyone here have any tools to do such a decode? I'd rather not do it
manual if at all possible.

Valdis.Kletnieksvt.edu wrote:
> On Wed, 16 Aug 2006 12:33:13 BST, Barrie Dempster said:
>
>> Although the port 0 in this case is a red herring and irrelevant. Port 0
>> itself when used with TCP/UDP (not ICMP!) can actually be used on the
>> Internet. A while back I modified netcat and my linux kernel so that it would
>> allow usage of port 0 and was able to connect to a remote machine via TCP
>> with that port and communicate fine.
>>
>
> Of course, the poor security geek who see a TCP SYN from port 0 to port 0,
> and then a SYN+ACK reply back, will be going WTF??!? for the rest of the day. :)
>
> (Another good one to induce head-scratching is anything that does
> RFC1644-style T/TCP. Anytime you see a packet go by in one direction with
> SYN/FIN *and* data, and the reply has SYN/ACK/FIN and data.. ;)
> data on it... ;)
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

--

Regards,
    Adriel T. Desautels
    SNOsoft Research Team
    Office: 617-924-4510 || Mobile : 857-636-8882

    ----------------------------------------------
    Vulnerability Research and Exploit Development

BullGuard Anti-virus has scanned this e-mail and found it clean.
Try BullGuard for free: www.bullguard.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/