[Snort-users] Large ICMP packets

Ofir Arkin ofir at ...64...
Fri Sep 29 16:39:33 EDT 2000


The only originating OS I know who might do that is HP-UX 10.30, and 11.0x.
But this is only if you are communicating with that system with ICMP.

After sending ICMP ECHO Request series to an HPUX 11.0 box I had the first
reply pretty normal but than ...

00:27:57.435620 ppp0 < x.x.x.x > y.y.y.y : icmp: echo request (DF) (ttl 236,
id 41985)
			 4500 05dc a401 4000 ec01 d909 xxxx xxxx
			 yyyy yyyy 0800 7e52 9abc def0 0000 0000
			 0000 0000 0000 0000 (CONTINUE WITH 0000 0000)

The machine I have queried pinged me back. The ICMP Echo request size was
1500 bytes.
It was the maximum transfer unit my Internet Connection was allowed to
process. The request
was sent with the DF bit set. Any router along the way, trying to fragment
the request
because the MTU of the destined network was smaller than the datagram's size
would fail
and send an ICMP Error message back stating a fragmentation was required but
the don't
fragment bit was set. It would allow the sending machine to send a smaller
sized datagram
according to its PMTU discovery process/algorithm with ICMP. If for this
ICMP Echo request
an ICMP Echo reply would be received, than the PMTU is discovered.

00:27:57.885662 ppp0 > y.y.y.y > x.x.x.x : icmp: echo request (ttl 255, id
			 4500 0024 3372 0000 ff01 7c51 yyyy yyyy
			 xxxx xxxx 0800 5832 6d04 0100 dde5 c339
			 8383 0d00
00:27:58.155627 ppp0 < x.x.x.x > y.y.y.y : icmp: echo reply (DF) (ttl 236,
id 41987)
			 4500 0024 a403 4000 ec01 debf xxxx xxxx
			 yyyy yyyy 0000 6032 6d04 0100 dde5 c339
			 8383 0d00

The following ICMP Echo Request sent from my machine to the queried HP-UX
11.0 just milliseconds
after my reply to the HP-UX's query was sent. It has resulted in an ICMP
Echo reply coming back
from the queried machine. This time the DF bit was set with the ICMP Echo
Rather than sending an ICMP datagram that will be fragmented somewhere along
the way to the
destination machine, it is more beneficial from performance perspective, to
fragment the ICMP
datagram on sending. Setting the DF bit on the following replies would help
to maintain the PMTU
between the two systems, if for any reason, the PMTU would be decreased. For
example, because
the datagram have used another route to the destined system.

Sending immediately another ICMP Query message type to this particular HP-UX
11.0x operating
system based machine, will not result in the PMTU discovery process to be
repeated. The DF Bit
would be set within the ICMP Query reply. Except a threshold to be
maintained by the HP-UX 11.0x.
When reached the next time we query this host with ICMP Query message type,
the process of
determining the PMTU using ICMP Echo request will begin again.

This unique HPUX PMTU DIscovery using ICMP Echo Requests is enabled by
defualt in HPUX 10.30
and 11.0x.

I don't think this might be the case, but also consider this:

Any OS I have checked can sent large ICMP datagrams.
It is just another parameter you use with ping.

An example with LINUX:

[root at ...534... /root]# ping -s 1500 x.x.x.x
PING x.x.x.x (x.x.x.x) from y.y.y.y : 1500(1528) bytes of data.
1508 bytes from x.x.x.x: icmp_seq=0 ttl=241 time=1034.7 ms
1508 bytes from host_address (x.x.x.x): icmp_seq=2 ttl=241 time=1020.0 ms
1508 bytes from host_address (x.x.x.x): icmp_seq=3 ttl=241 time=1090.4 ms
1508 bytes from host_address (x.x.x.x): icmp_seq=5 ttl=241 time=1060.0 ms

--- x.x.x.x ping statistics ---
8 packets transmitted, 5 packets received, 37% packet loss
round-trip min/avg/max = 1000.2/1041.0/1090.4 ms
[root at ...534... /root]#

The results on all OSs I have checked this against is a usual reply, nothing
more nothing

If you need more information about what can be done with ICMP regarding
scanning, see my paper
"ICMP Usage In Scanning" available from my web site
http://www.sys-security.com. Latest version is 2.01.
A new version is expected to be released in the next 2 weeks.

I am also speaking about my  research at Blackhat 2000 Amsterdam so if some
one is there ...

One side note of my research paper is another subject that you have
mentioned, Passive fingerprinting with ICMP.
I am finalyzing another paper dedicated to this issue. This paper should be
published in the next 3 weeks as well.

Ofir Arkin  [ofir at ...64...]
Senior Security Analyst
Chief of Grey Hats
ITcon, Israel.

Personal Web page: http://www.sys-security.com

"Opinions expressed do not necessarily
represent the views of my employer."

More information about the Snort-users mailing list