OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: An ICMP Type 3 Signature
From: Steffen Dettmer (steffenDETT.DE)
Date: Tue Oct 10 2000 - 16:03:21 CDT

* Stephen P. Berry wrote on Wed, Oct 04, 2000 at 13:26 -0700:
> -Neither of the destination addresses (a.b.c.d and i.j.k.l in
> the above example) had sent any traffic to 194.102.148.213 in
> the two hours prior to receiving the ICMP datagrams (two hours
> is as far back as I looked---they've probably -never- sent
> anything to 194.102.148.213). In fact i.j.k.l was an
> unused address that wasn't sending or receiving -anything-
 [...]

Well, I experimented with ICMP messages when playing with a fast
traceroute method. I made a tool that sends out a lot of UDP
packets, and thus receiving a lot of ICMP time exeededs at "one"
time, and from the included orginal UDP packets the tool builds
the route path (like traceroute, but more faster;
http://sws.dett.de/Simpletraceroute if anyone is interested in
the sources). I found by that, that I receive sometimes a lot of
malformed ICMP messages. They do include some data, but not the
data from the UDP packet that was sent by simpletraceroute. I
thought, that there may be broken TCP/IP implementations out
there, so this may not a bullet-proof thing. So the addresses may
be some "random" data; but really it surprised me a lot, that at
least some of those included (old UDP) packets contained the
right cksum!

If anyone could explain that "strange behaivior" I would be very
glad about an email (if offtopic for this list, please use PM).

oki,

Steffen 

-- 
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.