[plug] paranoia
Matt Kemner
zombie at networx.net.au
Mon Aug 24 10:47:07 WST 1998
On Mon, 24 Aug 1998, Lindsay Allen wrote:
> Mon Aug 24 09:35:33 destination unreachable from cyberthrill.com [207.139.24.6]
> Mon Aug 24 09:45:21 destination unreachable from linux.cbcfreo.wa.edu.au [192.168.1.1]
Don't worry about them too much.. Very much a part of the IP protocol is
the ICMP protocol, which you are seeing at work here.. What iplogger is
logging here, are ICMP type 3 messages, which tell an application that
the port or host they are trying to connect to is unreachable.
Eg. say you try to access the nameserver on dns.cyberthrill.com, but the
host itself is down, the router nearest the nameserver will send you a
"host unreachable" (ICMP type 3 code 1) message (resulting in a "no route
to host" error messsage)
If the host itself is up, but the named itself is down, the host itself
will send a "port unreachable" (type 3 code 3) for port 53.
Note: a fundamental flaw of the IP protocol lies here - because it is so
easy to spoof IP packets, all you have to do to break someone's irc
connection (for example) is to send an unreachable message that is
forged to come from the irc server - all you need to know is the source
and destination ports. (so you send a whole bunch of them each with a
different "source" port number until you succeed) - this type of Denial of
Service is very popular these days, and will continue to be rampant until
a) the IP protocol is improved (eg ipv6) or b) all ISPs block outgoing
packets that do not match their class C's. (eg, no Networx customer can
send a packet out that does not have a source address of 203.30.239.*,
203.56.13.* or 202.61.222.*)
Also, if you want to crash someone's mIRC connection, you do not even have
to spoof the ICMP packet to come from the irc server, you only have to
have the contents of the ICMP packet match the existing TCP connection.
(and the program that's doing the 'rounds' at the moment does exactly
that, which makes it very easy to track down who really sent the packet -
I noticed that, for example, I was getting messages from a modem host at
iiNet that told one of my modems that aussie.oz.org was unreachable... bit
suss... :)
If I didn't know better I'd say that this was a fundamental flaw in the
windows TCP/IP stack, but we all know that there are no flaws in windows,
right? ;) (http://www.cantrip.org/nobugs.html)
- Matt
More information about the plug
mailing list