ICMP_Scanning_21
ICMP Usage in Scanning
21
Copyright Ó Ofir Arkin, 2000
http://www.sys-security.com
If a firewall is blocking our probed than no reply would be generated.
No reply would be an indication that traffic to the Host we probed is filtered.
3.3.1.2 An example with TCP
We can divide the first packet of a TCP handshake into two fragments. We would put enough
TCP information in the first packet that would be enough to verify the packet against the Firewalls
Rule base (this means the port numbers we are using are included in the packet). We will not
send the second part of the packet, forcing any host that gets such a packet to send us back an
ICMP Fragment Reassembly Time Exceeded error message when the time for reassembly
exceeds. This would indicate the host is accessible by this kind of traffic, which is allowed using
the port we have specified as the destination port18.
If the port we use were open, than the ICMP error message would be generated. If the port is
closed than a TCP RST packet should be sent back. If a filtering device were to block our probes
than no reply would be generated. No reply would be an indication that traffic to the host we
probed is filtered or the filtering device requires that the first TCP packet would not be fragmented
(which is a legitimate requirement).
3.3.1.3 An Example with ICMP
We can do the same with encapsulating the ICMP protocol. When doing so the ICMP fragmented
packets should sound the sirens when an Intrusion Detection system (if deployed) sees them.
There is no reason to fragment an ICMP datagram.
Countermeasure: Block outgoing ICMP Fragment Reassembly Time Exceeded Error messages.
3.4 Host Detection using UDP Scans, or why we wait for the ICMP Port
Unreachable
How can we determine if a host is alive using a UDP probe? We use the UDP scan method that
uses ICMP Port Unreachable error message that may be generated from probed hosts as
indicator of alive hosts. With this method we are sending a UDP datagram with 0 bytes of data to
a UDP port on the attacked machine. If we have sent the datagram to a closed UDP port we will
receive an ICMP Port Unreachable error message. If the port is opened, we would not receive
any reply.
When a filtering device is blocking UDP traffic aimed at the attacked machine, it would copycat
the behavior pattern as with opened UDP ports.
If we probe a large number of UDP ports on the same host and we do not receive a reply from a
large number of ports, it would look like that a large number of probed UDP ports are opened.
While a filtering device is probably blocking the traffic and nearly all of the ports are closed.
How can we remedy this?
We can set a threshold number of non-answering UDP ports, when reached we will assume a
filtering device is blocking our probes.
18
In a case were a firewall is validating that the first packet is not fragmented, we can fragment another one instead. But
than this scanning method would not be any different from any other scanning method using TCP flags combinations.