Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Subject: Re: An ICMP Type 3 Signature
From: Stephen P. Berry (spbMESHUGGENEH.NET)
Date: Tue Oct 10 2000 - 12:03:52 CDT
- Next message: Jay Random: "Re: Strange activity to a laptop?"
- Previous message: azimuth: "Re: Lots of scans"
- Next in thread: Jay Random: "Re: An ICMP Type 3 Signature"
- Maybe reply: Stephen P. Berry: "Re: An ICMP Type 3 Signature"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Donald McLachlan writes:
>> There's a simpler and better indicator: check to see if the source
>> of the ICMP packet is between the destination of the ICMP packet and
>> the `unreachable' host. If this isn't the case, it's a pretty good
>> bet that the actual origin of the original traffic is behind the ICMP
>Spoof at host A (but we don't know the host's true address).
>Sends packets via router B.
>To unreachable address C.
>Spoofing Address D (which is where the ICMP unreachable address gets sent.
> A - B - (Big Internet Cloud) - C
>If I understand you correctly you are saying to check if D is between
>B and C. That makes no sense to me so I must be misunderstanding you.
>Can you please elaborate how your method can determine that the spoofer is
>behind router B (at A)? (which is what my method does)
I'm not suggesting that what I describe determines if D is between B
and C (in your diagram); that, as you note, doesn't make much sense.
If you check to see if the source of the ICMP packet (B) is between
the destination of the ICMP packet (D) and the `unreachable' host (C),
and it isn't, then it's a good bet that the spoofing host is behind
the ICMP source (B).
Actual techniques for network mapping (even the blazingly obvious and
inelegant one offered by the ICMP datagram itself) left as an exercise
for the reader.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----