COMMAND

    kernel

SYSTEMS AFFECTED

    Linux

PROBLEM

    Ofir Arkin  found following.   We must  understand that  there are
    differences between  the different  ICMP Error  messages, not only
    with their meaning, but also with their implementation.  Ofir  was
    expecting that  several characters  with the  ICMP Error  messages
    will be the same along all of the ICMP Error Messages, but he  was
    wrong regarding few operating systems.

    The most interesting case is with the LINUX operating system based
    on Kernel 2.2.x and 2.4.t-x.

    The  next  example  is  with  LINUX  based on Kernel 2.2.16 as the
    targeted  machine,  eliciting  an  ICMP  Port  Unreachable   error
    message:

        00:21:30.199408 pop > x.x.x.x.2066 > y.y.y.y.2000: udp 0 (ttl 64, id 1732)
			         4500 001c 06c4 0000 4011 c895 xxxx xxxx
			         yyyy yyyy 0812 07d0 0008 4484
        
        00:21:30.493691 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 2000
        unreachable Offending pkt: x.x.x.x.2066 > y.y.y.y.2000: udp 0 (ttl 44, id
        1732) [tos 0xc0]  (ttl 238, id 53804)
			         45c0 0038 d22c 0000 ee01 4e60 yyyy yyyy
			         xxxx xxxx 0303 a88e 0000 0000 4500 001c
			         06c4 0000 2c11 dc95 xxxx xxxx yyyy yyyy
			         0812 07d0 0008 4484

    The  quoted  data  is  the  entire  offending datagram. LINUX ICMP
    Error  messages  will  be  up  to  576 bytes long according to the
    LINUX source code.

    The next example is with  LINUX as the targeted operating  system.
    With this example we have sent a protocol scan with NMAP:

        13:14:56.942897   < x.x.x.x > y.y.y.y: ip-proto-38 0 (ttl 39, id 37623)
			         4500 0014 92f7 0000 2726 02cb xxxx xxxx
			         yyyy yyyy
        13:14:56.942964   > y.y.y.y > x.x.x.x: icmp: y.y.y.y protocol 38 unreachable
        Offending pkt: x.x.x.x > y.y.y.y: ip-proto-38 0 (ttl 39, id 37623) [tos
        0xc0]  (ttl 255, id 1884)
			         45c0 0044 075c 0000 ff01 b59a yyyy yyyy
			         xxxx xxxx 0302 fb1a 0000 0000 4500 0014
			         92f7 0000 2726 02cb xxxx xxxx yyyy yyyy
			         0050 dc84 ae6f 6910 0000 0000 5004 0000
			         bd89 0000

    LINUX adds to the entire offending packet that was quoted, another
    20 bytes.

    Since LINUX handles the  ICMP Protocol Unreachable Error  Messages
    like the ICMP Fragment Reassembly Time Exceeded Error Messages  we
    will  see  the  same  pattern  with  ICMP Fragment Reassembly Time
    Exceeded:

        [root@godfather bin]# hping2 -c 1 -x -y y.y.y.y
        ppp0 default routing interface selected (according to /proc)
        HPING y.y.y.y ppp0 y.y.y.y): NO FLAGS are set, 40 headers + 0 data bytes
        
        --- y.y.y.y hping statistic ---
        1 packets tramitted, 0 packets received, 100% packet loss
        round-trip min/avg/max = 0.0/0.0/0.0 ms
        [root@godfather bin]#

    The tcpdump trace:

        19:49:22.999108 ppp0 > x.x.x.x.cvspserver > y.y.y.y.0: .
        1709055398:1709055398(0) win 512 (frag 35247:20@0+) (DF) (ttl 64)
			         4500 0028 89af 6000 4006 e0ff xxxx xxxx
			         yyyy yyyy 0961 0000 65de 1da6 6a01 476b
			         5000 0200 bf71 0000
        
        19:49:53.303196 ppp0 < y.y.y.y > x.x.x.x: icmp: ip reassembly time exceeded
        Offending pkt: x.x.x.x.cvspserver > y.y.y.y.0: . 1709055398:1709055398(0)
        win 512 (frag 35247:20@0+) (DF) (ttl 45) [tos 0xc0]  (ttl 238, id 379)
			         45c0 0058 017b 0000 ee01 1a49 yyyy yyyy
			         xxxx xxxx 0b01 3caf 0000 0000 4500 0028
			         89af 6000 2d06 f3ff xxxx xxxx yyyy yyyy
			         0961 0000 65de 1da6 6a01 476b 5000 0200
			         bf71 0000 601d 1f0d 7a04 5045 0100 0000
			         4146 4345 4a45 4f46

    Since LINUX's  ICMP Error  messages will  not be  bigger than  576
    bytes  long,  if  the  offending  packet  will  be big enough (not
    likely  in  real  world  situation)  we  will not see the added 20
    bytes in the ICMP Fragment Reassembly / ICMP Protocol  Unreachable
    error messages.

    This unique pattern will allow us to identify LINUX based machines
    even  if  the  Precedence  Bits  value  with  the LINUX ICMP Error
    messages will be changed to 0x000.

SOLUTION

    Nothing yet.