RE: ECHO REPLY Attack?

Sun, 29 Aug 1999 17:47:17 -0700 

G'day,

They could be trying a few things, off the top of my head. First up, can you
check the packet body? There normally isn't any data in an ICMP echo reply
except for pad (abcdefgh... or something)so if the payload looks like it
might be meaningful they might be looking for Nasty Programs running inside
the network that are using ICMP as transport.

IMO, that's the biggest worry. Other that that it's could be just a scanning
variation. ICMP often gets overlooked or deliberately allowed in packet
filters, and even if it's denied it's often harder to notice glancing
through a log file that an unexpected SYN/ACK.

Finally, it could be a smurf? (fraggle? muppet? grover? bert&ernie?) style
attack. In brief, this consists of sending a packet to a broadcast address
with a forged source address. When all the hosts on the (badly configured)
subnet reply, they swamp the poor owner of the forged IP address. I know .0
hasn't been broadcast since Dinosaurs Ruled the Earth, but when this attack
was in vogue there were lots of networks that answered it.

That's all I can think of just now. I'm sure there are plenty of other
devious possibilities. However, I wouldn't recommend that you worry too much
as long you know the packets aren't going to get through and do any damage.
I would try and make sure that there are no little surprise apps that are
tunneling data through ICMP though.

Cheers,

--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520 

> -----Original Message-----
> From: Philippe Cayphas [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 30 August 1999 4:36 AM
> To: [EMAIL PROTECTED]
> Subject: ECHO REPLY Attack?
> 
> 
> Hello,
> 
> We have blocked on an Internet Firewall the following IP packet :
> 
> ECHOREPLY FROM host 1.2.3.4 TO DMZ net 5.6.7.0
> 
> We checked of course the logs and no echo request was sent 
> and surely not
> from the network adress (.0)!
> 
> My analysis is thus this is probably an attack but what could 
> they be trying?
> 
> Philippe
> 
> 
> __
> Ph. Cayphas
> 
> Sr Engineer
> AOF Belgium
> 
> +32 75 64 88 31
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> 
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to