COMMAND
ICMP Fragment Reassembly Time (kernel)
SYSTEMS AFFECTED
Novell Netware
PROBLEM
Ofir Arkin found following. Novell Netware operating systems have
a unique pattern with ICMP Fragment Reassembly Time Exceeded error
messages they produce.
In general, when an ICMP error message is produced, the offending
packet's IP Header + at least 8 bytes of data are echoed with the
error message. If we examine closely the next example, we can see
that the Offending packet's IP TTL field value echoed back is
zero. We expect this value to decrement from the value initially
assigned, but not to be zero. Since this value should change from
one hop to another, the Checksum need to be recalculated each
time. With the error message we can see that the Checksum echoed
is miscalculated.
...And again this is a Fragment Reassembly Time Exceeded ICMP
error message and not ICMP Time Exceeded in Transit error message.
The next example is with Novell Netware 5.1:
[root@godfather bin]# hping2 -c 1 -x -y y.y.y.y
ppp0 default routing interface selected (according to /proc)
HPING y.y.y.y (ppp0 y.y.y.y): NO FLAGS are set, 40 headers + 0 data bytes
--- y.y.y.y hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@godfather bin]#
The Trace:
20:12:28.008893 ppp0 > x.x.x.x.1865 > y.y.y.y.0: . 687160929:687160929(0)
win 512 (frag 58586:20@0+) (DF) (ttl 64)
4500 0028 e4da 6000 4006 c236 xxxx xxxx
yyyy yyyy 0749 0000 28f5 3e61 669e 9f15
5000 0200 c5d2 0000
20:12:41.313202 ppp0 < y.y.y.y > x.x.x.x: icmp: ip reassembly time exceeded
Offending pkt: [|tcp] (frag 58586:20@0+) (DF) [ttl 0] (bad cksum d336!) (ttl
111, id 9591)
4500 0038 2577 0000 6f01 b28f yyyy yyyy
xxxx xxxx 0b01 b55f 0000 0000 4500 0028
e4da 6000 0006 d336 xxxx xxxx yyyy yyyy
0749 0000 28f5 3e61
This unique pattern enable us to determine if the operating
system in question is a Novell Netware or other with one datagram
only. The information was sent to Novell.
SOLUTION
Nothing yet.