HostedDB - Dedicated UNIX Servers
ICMP_Scanning_16
ICMP Usage in Scanning 16 Copyright Ó Ofir Arkin, 2000 http://www.sys-security.com In my opinion Firewalls/Filtering Devices should check the validity of those fields used to elicit the ICMP Parameter Problem error message and disallow this kind of traffic. An example is given here using the ISIC tool written by Mike Frantzen16. ISIC sends randomly generated packets to a target computer. Its primary uses are to stress test an IP stack, to find leaks in a firewall, and to test the implementation of Intrusion Detection Systems and firewalls. The user can specify how often the packets will be fragmented; have IP options, TCP options, an urgent pointer, etc.   In the next example I have sent 20 IP Packets from a LINUX machine to a Microsoft Windows NT WRKS 4 SP4 machine. The packets were not fragmented nor bad IP version numbers were sent. The only weird thing sent inside the IP headers was random IP Header length, which have produced ICMP Parameter Problem error message as I anticipated. [root@stan packetshaping]# ./isic -s 192.168.5.5 -d 192.168.5.15 -p 20 -F 0 -V 0 -I 100 Compiled against Libnet 1.0 Installing Signal Handlers. Seeding with 2015 No Maximum traffic limiter Bad IP Version   = 0% Odd IP Header Length = 100% Frag'd Pcnt = 0% Wrote 20 packets in 0.03s @ 637.94 pkts/s tcpdump trace: 12:11:05.843480 eth0 > kenny.sys-security.com > cartman.sys- security.com: ip-proto-110 226 [tos 0xe6,ECT]   (ttl 110, id 119, optlen=24[|ip]) 12:11:05.843961 eth0 P cartman.sys-security.com > kenny.sys- security.com: icmp: parameter problem - octet 21 Offending pkt: kenny.sys-security.com > cartman.sys-security.com: ip-proto-110 226 [tos 0xe6,ECT]   (ttl 110, id 119, optlen=24[|ip]) (ttl 128, id 37776) 3.1.1 ACL Detection using IP Packets with bad IP headers fields If we probe the entire IP range of the targeted network with all combinations of protocols and ports, it would draw us the targeted network topology map, and will allow us to determine the ACL of the Filtering Device (If present, and not blocking outgoing ICMP Parameter Problem Error messages).   This, if the filtering device does not check the validity of the mangled IP header fields.   3.1.1.1 How we determine the ACL (ICMP Protocol embedded inside)? When the embedded protocol is ICMP, we send various ICMP message types encapsulated inside IP packets with bad IP header(s). If we receive a reply from a Destination IP address we have a host that is alive and an ACL, which allows this type of message of ICMP to get to the host who generated the error message (and the Parameter Problem ICMP error message is allowed from the destination host to the Internet).                                                    16 http://expert.cc.purdue.edu/~frantzen/