IETF Logo Mail Archive

Re: [tcpm] WG Last Call for ICMP Attacks

"Smith, Donald" <Donald.Smith@qwest.com> Wed, 02 September 2009 22:08 UTC

Return-Path: <Donald.Smith@qwest.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0BF3028C13F for <tcpm@core3.amsl.com>; Wed, 2 Sep 2009 15:08:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lWpE2B9dfBAF for <tcpm@core3.amsl.com>; Wed, 2 Sep 2009 15:08:07 -0700 (PDT)
Received: from sudnp799.qwest.com (sudnp799.qwest.com [155.70.32.99]) by core3.amsl.com (Postfix) with ESMTP id C193E3A6E6F for <tcpm@ietf.org>; Wed, 2 Sep 2009 15:08:07 -0700 (PDT)
Received: from suomp60i.qintra.com (suomp60i.qintra.com [151.117.69.27]) by sudnp799.qwest.com (8.14.0/8.14.0) with ESMTP id n82M72I4006904; Wed, 2 Sep 2009 16:07:02 -0600 (MDT)
Received: from qtdenexhtm22.AD.QINTRA.COM (localhost [127.0.0.1]) by suomp60i.qintra.com (8.14.0/8.14.0) with ESMTP id n82M6uEA019554; Wed, 2 Sep 2009 17:06:57 -0500 (CDT)
Received: from qtdenexmbm24.AD.QINTRA.COM ([151.119.91.226]) by qtdenexhtm22.AD.QINTRA.COM ([151.119.91.231]) with mapi; Wed, 2 Sep 2009 16:06:56 -0600
From: "Smith, Donald" <Donald.Smith@qwest.com>
To: 'Joe Touch' <touch@ISI.EDU>
Date: Wed, 02 Sep 2009 16:06:55 -0600
Thread-Topic: [tcpm] WG Last Call for ICMP Attacks
Thread-Index: AcosEelB2unTBJx7TMyhtQJ9MPX1zwABO/8w
Message-ID: <B01905DA0C7CDC478F42870679DF0F1005B64E385A@qtdenexmbm24.AD.QINTRA.COM>
References: <F1534040-EA0D-44E4-98F7-67C24CD12CCF@windriver.com> <B01905DA0C7CDC478F42870679DF0F1005B64E383D@qtdenexmbm24.AD.QINTRA.COM> <4A9EDEDD.2030308@isi.edu>
In-Reply-To: <4A9EDEDD.2030308@isi.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: 'tcpm Extensions WG' <tcpm@ietf.org>, 'David Borman' <david.borman@windriver.com>
Subject: Re: [tcpm] WG Last Call for ICMP Attacks
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2009 22:08:09 -0000

The distinction is from SANS classes but also commonly used in network forensics.

Crafted implies it wasn't created naturally by an OS.
A "special" tool is required to "craft" the packets.
A crafted packet MIGHT have also had its source IP forged.
So I see "forged or spoofed" as a subset of crafted packets.

"ICMP packet with falsified content" would be a good description.


(coffee != sleep) & (!coffee == sleep)
Donald.Smith@qwest.com gcia   

> -----Original Message-----
> From: Joe Touch [mailto:touch@ISI.EDU] 
> Sent: Wednesday, September 02, 2009 3:09 PM
> To: Smith, Donald
> Cc: 'David Borman'; 'tcpm Extensions WG'
> Subject: Re: [tcpm] WG Last Call for ICMP Attacks
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> Smith, Donald wrote:
> > 1.
> > ICMP [RFC0792] is a fundamental part of the TCP/IP protocol suite,
> >    and is used mainly for reporting network error conditions.
> > 
> > ICMP is part of the IP protocol suite.
> > 
> > 2.2
> > Therefore, in the case of TCP, an attacker could send a forged ICMP
> >    message to the attacked system, and, as long as he is 
> able to guess
> >    the four-tuple (i.e., Source IP Address, Source TCP 
> port, Destination
> >    IP Address, and Destination TCP port) that identifies the
> >    communication instance to be attacked, he will be able 
> to use ICMP to
> >    perform a variety of attacks.
> > 
> > Forged usually implies that source ip address has been 
> spoofed usually to come from some type of trusted host.
> > Crafted is the term generally used to mean the packets 
> contents (not header) were modified.
> > In this case there is no need to spoof the source ip 
> address as the end host has no knowledge about the routers in 
> between them and the end host system. So I recommend you 
> change forged to crafted.
> 
> I've not heard that there was such clarity on the term forged or
> crafted, but neither is the case here.
> 
> The attacker emits an ICMP message. It doesn't need a 
> falsified header.
> It doesn't need to be a "modified" packet. E.g., it can be 
> created based
> on information seen on the media.
> 
> It might just be called a "false ICMP message", i.e., it's 
> reporting an
> event that didn't happen.
> 
> Joe
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkqe3t0ACgkQE5f5cImnZrvj4QCeLodfjABk7/bGxLSU9wv4dV+N
> 0foAoJ5qPOCkzsS/w0kvpuOzJdChMcCb
> =BJU2
> -----END PGP SIGNATURE-----
>

v2.23.0 | Report a Bug | By Email