HostedDB - Dedicated UNIX Servers
ICMP_Scanning_20
ICMP Usage in Scanning 20 Copyright Ó Ofir Arkin, 2000 http://www.sys-security.com Countermeasure: Block outgoing ICMP Protocol Unreachable error messages coming from the protected network to the Internet on your Firewall and/or Border Router. If you are using a firewall check that your firewall block protocols which are not supported (deny all stance). 3.3 Host Detection using IP fragmentation to elicit Fragment Reassembly Time Exceeded ICMP error message. When a host receives a fragmented datagram with some of its pieces missing, and does not get the missing parts within a certain amount of time the host will discard the packet and generate an ICMP Fragment Reassembly Time Exceeded error message back to the sending host. We can use this behavior as a Host Detection method, by sending fragmented datagrams with missing fragments to a probed host, and wait for an ICMP Fragment Reassembly Time Exceeded error message to be received from a live host(s), if any. When we are using this method against all of the IP range of a probed network, we will discover the network topology of that targeted network. 3.3.1 ACL Detection using IP fragmentation This method can be used not only to map the entire topology map of the targeted network, but also to determine the ACL a firewall or a filtering device is forcing on the protected network. Simply using all combinations of TCP and UDP with different ports, with the IP addresses from the IP range of the probed network will do it. When we receive a reply it means a host we queried is alive, the port we have used is opened on that host, and the ACL allows the protocol type and the port that was used to get to the probed machine (and the ICMP Fragment Reassembly Time Exceeded error message back from the probed machine to the Internet).   If we were not getting any reply back from the probed machine it can mean:   · The Filtering Device filters the Protocol used. · The Filtering Device is filtering the specific port we are using for the probe. · The Filtering Device blocks ICMP Fragment Reassembly Time Exceeded error messages initiated from the protected network destined to the Internet. In our case, the filtering device may be blocking the specific host we are probing for outgoing ICMP Parameter Problem datagrams. 3.3.1.1 An Example with UDP (Filtering Device Detection) Since UDP is a stateless protocol it may be better suited for our needs here. The first datagram would be fragmented including enough UDP information in the first fragmented datagram that would be enough to verify the packet against a Firewall’s Rule base. The second part of the datagram would not be sent. It would force any host that gets such a packet to send us back an ICMP Fragment Reassembly Time Exceeded error message when the time for reassembly exceeds.   If the port we were using were an open port, than the ICMP Fragment Reassembly Time Exceeded error message would be generated. If the port were closed then an ICMP Port Unreachable error message would be produced.