HostedDB - Dedicated UNIX Servers

ICMP_Scanning_12
ICMP Usage in Scanning 12 Copyright Ó Ofir Arkin, 2000 http://www.sys-security.com -*> Snort! <*- Version 1.5 By Martin Roesch (roesch@clark.net, www.clark.net/~roesch) Kernel filter, protocol ALL, raw packet socket Decoding Ethernet on interface eth0 02/15-13:47:37.179276 192.168.5.3 -> 192.168.5.255 ICMP TTL:254 TOS:0x0 ID:13170 ADDRESS REQUEST B9 03 8E 49 00 00 00 00 ...I.... No answer was received from the LINUX machines nor from the Windows NT machine on our test lab. But when sending an ICMP Address Mask request aimed at a router on our network we receive a reply: -*> Snort! <*- Version 1.5 By Martin Roesch (roesch@clark.net, www.clark.net/~roesch) Decoding Ethernet on interface eth0 01/30-09:33:00.711595 Host13  -> Destination_ Router ICMP TTL:254 TOS:0x0 ID:13170 ADDRESS REQUEST 90 02 04 17 00 00 00 00 ........ 01/30-09:33:00.717388 Destination_Router -> Host ICMP TTL:63 TOS:0x0 ID:367 ADDRESS REPLY 90 02 04 17 FF FF FF F8 00 00 00 00 00 00 00 00   ................ 00 00 00 00 00 00 ...... Countermeasure: Block ICMP Address Mask Requests coming from the Internet on the border Router and/or Firewall.   2.5 Non-ECHO ICMP Sweeps We can query multiple hosts using a Non-ECHO ICMP query message type. This is referred as a Non-ECHO ICMP sweep. Who would answer our query? Hosts that answer to the following: o Hosts that are in a listening state. o Hosts running an operating system that implemented the Non-ECHO ICMP query message type that was sent. o Hosts that are configured to reply to the Non-ECHO ICMP query message type (few conditions here as well, for example: RFC 1122 states that a system that implemented ICMP Address Mask messages must not send an Address Mask Reply unless it is an authoritative agent for address masks).                                                  13 The real IP Adresses of the Host IP and a local ISPs router were replaced.