GEN:SID | 1:457 |
Message | ICMP Traceroute undefined code |
Summary | This event is generated when an ICMP type 14 is detected that does not include the necessary code in the packet.
|
Impact | Can be used as a reconnaissance tool. Traceroute reveals information about the layout of a network.
|
Detailed Information | There are at least three different implementations of traceroute. In one implementation traceroute works by sending an ICMP Echo Request packet to a destination host with a TTL value of 1. If the host is more than one hop away, the first route that receives the back will send back an ICMP packet indicating that the TTL was exceeded. The address of this router is then listed as the first hop. The packet is then sent out again with a TTL of 2. This continues until the destination host is able to reply or some maximum TTL value is reached.
The other two implementations use the same TTL-based concept with an ICMP type of 30(traceroute) or with an UDP packet destined for an ephemeral port.
|
Affected Systems | All
|
Attack Scenarios | Traceroute is often used against machines on a network prior to an attack.
|
Ease of Attack | Simple
|
Corrective Action | Block inbound ICMP type 30 messages.
|
Additional References | Miscellaneous http://www.faqs.org/rfcs/rfc1393.html
|