[Snort-users] Research Paper - ICMP Usage In Scanning v3.0 - RELEASED

Ofir Arkin ofir at ...949...
Mon Jun 4 04:17:37 EDT 2001

I am pleased to announce the availability of version 3.0 of my research
paper "ICMP Usage In Scanning".

Version 3.0 introduces significant changes made to the text.

The paper now starts with an introduction to the ICMP Protocol. The
introduction explains what is the ICMP protocol; it’s message types, and
where and when we should expect to see these.

The following chapters are divided into several subjects ranging from Host
Detection to Passive Operating System Fingerprinting.

An effort was made to offer more illustrations, examples and diagrams in
order to explain and illustrate the different issues involved with the ICMP
protocol’s usage in scanning.

The paper is divided into the following chapters:

- Chapter 1 is the Introduction
- Chapter 2 is an Introduction to the ICMP Protocol
- Chapter 3 deals with Host Detection methods using the ICMP Protocol
- Chapter 4 handles Advanced Host Detection methods using the ICMP Protocol
- Chapter 5 talks about the technique known as "Inverse Mapping"
- Chapter 6 goes through the traceroute functionality
- Chapter 7 is dedicated to Active Operating System Fingerprinting using the
  Protocol. The chapter is divided into four parts:

	- Regular queries
	- Crafted queries
	- Error Messages
	- Futuristic Methods

- Chapter 8 explains the Usage of ICMP in the Passive Operating System
  Fingerprinting Process. This is a new chapter, which was added with this
- Chapter 9 suggests strategies when building a correct rule base with a
- Chapter 10 is dedicated to acknowledgments

The various appendixes offer:

- Several tables presented in the text
- Some Host based Security measures available with Linux based on Kernel
2.4.x and
  with Sun Solaris 8.
- A snort rule base for dealing with the ICMP tricks illustrated within the

The new version can be downloaded from The Sys-Security Group’s web site in
PDF and ZIP formats. This is due to the large size of the PDF file.

The file size is ~ 1.75mb when zipped

The file size is ~ 5.39mb.

Ofir Arkin [ofir at ...949...]
The Sys-Security Group
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

More information about the Snort-users mailing list