ICMP_Scanning_35
ICMP Usage in Scanning
35
Copyright Ó Ofir Arkin, 2000
http://www.sys-security.com
7.2.6 ICMP Fragmentation Reassembly Time Exceeded (Type 11 Code 1)
By blocking this ICMP type we eliminate the usage of a Host Detection technique, which sends
only few fragments, form a fragmented datagram, and force the probed host to send us an ICMP
Fragmentation Reassembly Time Exceeded error message back revealing his existence.
7.2.7 ICMP Parameter Problem
We have demonstrated that host detection can be made with bad IP Header packets, which
would elicit various ICMP Parameter Problem and ICMP Destination Unreachable error
messages from the probed machines.
7.2.8 ICMP Time Stamp Request & Reply
Time Stamp requests & replies can be used for Host Detection and Inverse Mapping.
7.2.9 ICMP Address Mask Request and Reply
Address Mask request & reply can be used for host detection and Inverse Mapping.
7.2.10 The liability Question
All System administrator / Network administrator dont want to be held liable for an attack
generated from there network by an abusive user (or a malicious computer attacker using a
compromised system within the network). Therefore blocking some types of ICMP traffic from the
protected network to the outside world is recommended for liability reasons:
o
Destination Unreachable Codes 2-4
o
ICMP Destination Unreachable error messages 2-4 (Port Unreachable,
Protocol Unreachable and Fragmentation Needed and DF Flag was Set) is a
group of messages that are hard error conditions and when received should
terminate a connection.
This allow an attacker to send fake Destination Unreachable codes 2-4 to
terminate valid connections between the attacked target and other hosts on the
void.
Old TCP/IP implementations terminat TCP connections when receiving
those error messages. Modern TCP/IP implementations no longer terminate a
TCP connection when receiving those error messages
o
Source Quench messages
o
Since hosts still react to Source Quenches by slowing communication, they can
be used as a Denial-of-Service measure.
o
Redirect messages
o
If you can forge ICMP Redirect packets, and if your target host pays attention to
them - ICMP Redirects may be employed for denial of service attacks, where a
host is sent a route that loses it connectivity, or is sent an ICMP Network
Unreachable packet telling it that it can no longer access a particular network.
This means that all outbound ICMP traffic should be disallowed.