HostedDB - Dedicated UNIX Servers

ICMP_Scanning_21
ICMP Usage in Scanning 21 Copyright Ó Ofir Arkin, 2000 http://www.sys-security.com If a firewall is blocking our probed than no reply would be generated.   No reply would be an indication that traffic to the Host we probed is filtered. 3.3.1.2 An example with TCP We can divide the first packet of a TCP handshake into two fragments. We would put enough TCP information in the first packet that would be enough to verify the packet against the Firewall’s Rule base (this means the port numbers we are using are included in the packet). We will not send the second part of the packet, forcing any host that gets such a packet to send us back an ICMP Fragment Reassembly Time Exceeded error message when the time for reassembly exceeds. This would indicate the host is accessible by this kind of traffic, which is allowed using the port we have specified as the destination port18. If the port we use were open, than the ICMP error message would be generated. If the port is closed than a TCP RST packet should be sent back. If a filtering device were to block our probes than no reply would be generated. No reply would be an indication that traffic to the host we probed is filtered or the filtering device requires that the first TCP packet would not be fragmented (which is a legitimate requirement). 3.3.1.3 An Example with ICMP We can do the same with encapsulating the ICMP protocol. When doing so the ICMP fragmented packets should sound the sirens when an Intrusion Detection system (if deployed) sees them. There is no reason to fragment an ICMP datagram.   Countermeasure: Block outgoing ICMP Fragment Reassembly Time Exceeded Error messages. 3.4 Host Detection using UDP Scans, or why we wait for the ICMP Port Unreachable How can we determine if a host is alive using a UDP probe? – We use the UDP scan method that uses ICMP Port Unreachable error message that may be generated from probed hosts as indicator of alive hosts. With this method we are sending a UDP datagram with 0 bytes of data to a UDP port on the attacked machine. If we have sent the datagram to a closed UDP port we will receive an ICMP Port Unreachable error message. If the port is opened, we would not receive any reply.   When a filtering device is blocking UDP traffic aimed at the attacked machine, it would copycat the behavior pattern as with opened UDP ports. If we probe a large number of UDP ports on the same host and we do not receive a reply from a large number of ports, it would look like that a large number of probed UDP ports are opened. While a filtering device is probably blocking the traffic and nearly all of the ports are closed.   How can we remedy this? We can set a threshold number of non-answering UDP ports, when reached we will assume a filtering device is blocking our probes.                                                    18 In a case were a firewall is validating that the first packet is not fragmented, we can fragment another one instead. But than this scanning method would not be any different from any other scanning method using TCP flags combinations.