HostedDB - Dedicated UNIX Servers
ICMP_Scanning_19
ICMP Usage in Scanning 19 Copyright Ó Ofir Arkin, 2000 http://www.sys-security.com A tcpdump trace of some of the communication exchanged:   17:44:45.651855 eth0 > localhost.localdomain > 192.168.1.1: ip-proto-50 0 (ttl 38, id 29363) 17:44:45.652169 eth0 < 192.168.1.1 > localhost.localdomain: icmp: 192.168.1.1 protocol 50 unreachable Offending pkt: localhost.localdomain > 192.168.1.1: ip-proto-50 0 (ttl 38, id 29363) (ttl 128, id 578) 17:44:45.652431 eth0 > localhost.localdomain > 192.168.1.1: ip-proto- 133 0 (ttl 38, id 18) 17:44:45.652538 eth0 > localhost.localdomain > 192.168.1.1: ip-proto- 253 0 (ttl 38, id 36169) 17:44:45.652626 eth0 > localhost.localdomain > 192.168.1.1: ip-proto-92 0 (ttl 38, id 26465) 17:44:45.652727 eth0 < 192.168.1.1 > localhost.localdomain: icmp: 192.168.1.1 protocol 133 unreachable Offending pkt: localhost.localdomain > 192.168.1.1: ip-proto-133 0 (ttl 38, id 18) (ttl 128, id 579) 17:44:45.652760 eth0 > localhost.localdomain > 192.168.1.1: ip-proto- 143 0 (ttl 38, id 14467) 17:44:45.652899 eth0 > localhost.localdomain > 192.168.1.1: ip-proto-30 0 (ttl 38, id 30441) 17:44:45.652932 eth0 < 192.168.1.1 > localhost.localdomain: icmp: 192.168.1.1 protocol 253 unreachable Offending pkt: localhost.localdomain > 192.168.1.1: ip-proto-253 0 (ttl 38, id 36169) (ttl 128, id 580) 3.2.2 ACL Detection using the Protocol field First we need to determine if a filtering device is present using a non-valid (not used) protocol number probe. If a filtering device exists then no answer (ICMP Protocol Unreachable) will be received from the probed machine, assuming it is not AIX, HP-UX or Digital UNIX17. If a certain protocol were not allowed through the filtering device we would not receive any ICMP error message from the probed machine. Probing for all combinations of protocols and ports against an IP range of a targeted network using non-valid and valid protocol values can determine the ACL a filtering device is forcing on the protected network, along with the topology map of a targeted network (hosts reachable from the Internet).   A reply would not be generated if: · The Filtering Device filters the Protocol we are using · The Filtering Device is filtering the specific port we are using for the probe. · The Filtering Device blocks ICMP Destination Unreachable - Protocol Unreachable error messages initiated from the protected network destined to the Internet. In our case, the filtering device may be blocking the specific host we are probing for outgoing ICMP Destination Unreachable - Protocol Unreachable error messages. Note: We can use this method for ACL detection but if the protocol we are using is not used on the target machine it should be blocked on the filtering device. Than, only opened TCP/UDP ports and allowed ICMP traffic could traverse the filtering device. if that kind of traffic is allowed we can have better ACL detection solutions then we outlined here.                                                    17 You can determine this using OS finger printing methods.