HostedDB - Dedicated UNIX Servers
ICMP_Scanning_15
ICMP Usage in Scanning 15 Copyright Ó Ofir Arkin, 2000 http://www.sys-security.com the pointer field will point to the exact byte in the original IP Header, which caused the problem) to the source IP address of the bad IP packet and reveal its existence. With this type of host detection it is not relevant what would be the protocol (TCP/UDP/ICMP) embedded inside the IP packet. All we care about is the Error messages generated by the probed machine (if any). This method is very powerful in detecting host(s) on the probed network with direct access from the Internet, since a host should generate this error message. Routers must generate the ICMP Parameter Problem error message as well, but not all of them check the correctness of some fields inside the IP header like a host does (processing of some fields is done on the host only).   According to RFC 1122 a host should check for validity of the following fields when processing a packet14: · Version Number – if not 4 a host must silently discard the IP packet. · Checksum – a host should verify the IP header checksum on every received datagram and silently discard every datagram that has a bad checksum. A router should check for the validity of the following fields when processing a packet15: · Checksum – a router must verify the IP checksum of any packet it received, and must discard messages containing invalid checksums. The conditions outlined eliminate the usage of this method to a limited number of fields only. It is possible to send an IP packet with bad field(s) in the IP header, which will get routed without getting dropped in the way to the probed machine. It should be noted that different routers perform different checks regarding the IP header (different implementation and interpretation of RFC 1812). When a router, because of a bad IP header, drops an IP packet and sends an ICMP Parameter Problem error message, it is possible to identify the manufacture of the router, and to adjust the wrong IP header field correctly according to a field, which is not checked by the manufacture.   A router may be more forgiving than a Host regarding the IP header. This may result from the fact that a router is a vehicle for delivering the IP packet and a Host is the Destination and the place where more processing on the packet is done. The downside for this method is the detection. Intrusion Detection Systems should alert you about abnormalities in the attacked network traffic, since not every day you receive IP packets with bad IP Header field(s).   We can use this type of Host Detection to sweep through the entire IP range of an organization and get back results, which will map all the alive hosts on the probed network with direct access from the Internet. Even if a firewall or any filtering device is protecting the probed network we can still try to send those forged packets to an IP addresses with ports that are likely to be opened, for example - TCP ports 21,25,80; UDP port 53; and even try to send an ICMP message presumably coming back from a Host/Router who generated it upon receiving data from the attacked network.                                                    14 RFC 1122 – Requirements for Internet Host, http://www.ietf.org/rfc/rfc1122.txt.   15 RFC 1812 – Requirements for IPv4 Routers, http://www.ietf.org/rfc/rfc1812.txt.