ICMP_Scanning_15
ICMP Usage in Scanning
15
Copyright Ó Ofir Arkin, 2000
http://www.sys-security.com
the pointer field will point to the exact byte in the original IP Header, which caused the problem) to
the source IP address of the bad IP packet and reveal its existence. With this type of host
detection it is not relevant what would be the protocol (TCP/UDP/ICMP) embedded inside the IP
packet. All we care about is the Error messages generated by the probed machine (if any).
This method is very powerful in detecting host(s) on the probed network with direct access from
the Internet, since a host should generate this error message. Routers must generate the ICMP
Parameter Problem error message as well, but not all of them check the correctness of some
fields inside the IP header like a host does (processing of some fields is done on the host only).
According to RFC 1122 a host should check for validity of the following fields when processing a
packet14:
·
Version Number if not 4 a host must silently discard the IP packet.
·
Checksum a host should verify the IP header checksum on every received datagram
and silently discard every datagram that has a bad checksum.
A router should check for the validity of the following fields when processing a packet15:
·
Checksum a router must verify the IP checksum of any packet it received, and must
discard messages containing invalid checksums.
The conditions outlined eliminate the usage of this method to a limited number of fields only.
It is possible to send an IP packet with bad field(s) in the IP header, which will get routed without
getting dropped in the way to the probed machine. It should be noted that different routers
perform different checks regarding the IP header (different implementation and interpretation of
RFC 1812). When a router, because of a bad IP header, drops an IP packet and sends an ICMP
Parameter Problem error message, it is possible to identify the manufacture of the router, and to
adjust the wrong IP header field correctly according to a field, which is not checked by the
manufacture.
A router may be more forgiving than a Host regarding the IP header. This may result from the fact
that a router is a vehicle for delivering the IP packet and a Host is the Destination and the place
where more processing on the packet is done.
The downside for this method is the detection. Intrusion Detection Systems should alert you
about abnormalities in the attacked network traffic, since not every day you receive IP packets
with bad IP Header field(s).
We can use this type of Host Detection to sweep through the entire IP range of an organization
and get back results, which will map all the alive hosts on the probed network with direct access
from the Internet.
Even if a firewall or any filtering device is protecting the probed network we can still try to send
those forged packets to an IP addresses with ports that are likely to be opened, for example -
TCP ports 21,25,80; UDP port 53; and even try to send an ICMP message presumably coming
back from a Host/Router who generated it upon receiving data from the attacked network.
14
RFC 1122 Requirements for Internet Host, http://www.ietf.org/rfc/rfc1122.txt.
15
RFC 1812 Requirements for IPv4 Routers, http://www.ietf.org/rfc/rfc1812.txt.