HostedDB - Dedicated UNIX Servers

ICMP_Scanning_8
ICMP Usage in Scanning 8 Copyright Ó Ofir Arkin, 2000 http://www.sys-security.com The next example demonstrates the behavior expected from hosts when sending an ICMP ECHO request to the broadcast address of a network. The two LINUX machines on our test lab answered the query while the Microsoft Windows NT WRKS 4.0 machine silently ignored it. [root@stan /root]# ping -b 192.168.5.255 WARNING: pinging broadcast address PING 192.168.5.255 (192.168.5.255) from 192.168.5.1 : 56(84) bytes of data. 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time=4.1 ms 64 bytes from 192.168.5.5: icmp_seq=0 ttl=255 time=5.7 ms (DUP!) --- 192.168.5.255 ping statistics --- 1 packets transmitted, 1 packets received, +1 duplicates, 0% packet loss round-trip min/avg/max = 4.1/4.9/5.7 ms In the next example I have sent a Ping to the network address of the targeted network. The same behavior was produced. The LINUX machines answer the ICMP ECHO request while the Windows NT machine ignored it. [root@stan /root]# ping -b 192.168.5.0 WARNING: pinging broadcast address PING 192.168.5.0 (192.168.5.0) from 192.168.5.1 : 56(84) bytes of data. 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time=7.5 ms 64 bytes from 192.168.5.5: icmp_seq=0 ttl=255 time=9.1 ms (DUP!) --- 192.168.5.0 ping statistics --- 1 packets transmitted, 1 packets received, +1 duplicates, 0% packet loss round-trip min/avg/max = 7.5/8.3/9.1 ms Note: Broadcast ICMP may result in a Denial-Of-Service condition if a lot of machines response to the query at once. Countermeasure: Block the IP directed broadcast on the border router. 2.4 Non-ECHO ICMP ICMP ECHO is not the only ICMP query message type available with the ICMP protocol. Non-ECHO ICMP messages are being used for more advanced ICMP scanning techniques (not only probing hosts, but network devices such as a router as well). The group of ICMP query message types includes: ECHO (Request (Type 8), Reply (Type 0)), Time Stamp (Request (Type 13), Reply (Type 14)), Information (Request (Type 15), Reply (Type 16)), and Address Mask (Request (Type 17), Reply (Type 18)).