Re: [tcpm] WG Last Call for ICMP Attacks

["Smith, Donald" <Donald.Smith at qwest.com>]

The distinction is from SANS classes but also commonly used in network forensics.

Crafted implies it wasn't created naturally by an OS.
A "special" tool is required to "craft" the packets.
A crafted packet MIGHT have also had its source IP forged.
So I see "forged or spoofed" as a subset of crafted packets.

"ICMP packet with falsified content" would be a good description.


(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia   

> -----Original Message-----
> From: Joe Touch [mailto:touch at ISI.EDU] 
> Sent: Wednesday, September 02, 2009 3:09 PM
> To: Smith, Donald
> Cc: 'David Borman'; 'tcpm Extensions WG'
> Subject: Re: [tcpm] WG Last Call for ICMP Attacks
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> Smith, Donald wrote:
> > 1.
> > ICMP [RFC0792] is a fundamental part of the TCP/IP protocol suite,
> >    and is used mainly for reporting network error conditions.
> > 
> > ICMP is part of the IP protocol suite.
> > 
> > 2.2
> > Therefore, in the case of TCP, an attacker could send a forged ICMP
> >    message to the attacked system, and, as long as he is 
> able to guess
> >    the four-tuple (i.e., Source IP Address, Source TCP 
> port, Destination
> >    IP Address, and Destination TCP port) that identifies the
> >    communication instance to be attacked, he will be able 
> to use ICMP to
> >    perform a variety of attacks.
> > 
> > Forged usually implies that source ip address has been 
> spoofed usually to come from some type of trusted host.
> > Crafted is the term generally used to mean the packets 
> contents (not header) were modified.
> > In this case there is no need to spoof the source ip 
> address as the end host has no knowledge about the routers in 
> between them and the end host system. So I recommend you 
> change forged to crafted.
> 
> I've not heard that there was such clarity on the term forged or
> crafted, but neither is the case here.
> 
> The attacker emits an ICMP message. It doesn't need a 
> falsified header.
> It doesn't need to be a "modified" packet. E.g., it can be 
> created based
> on information seen on the media.
> 
> It might just be called a "false ICMP message", i.e., it's 
> reporting an
> event that didn't happen.
> 
> Joe
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkqe3t0ACgkQE5f5cImnZrvj4QCeLodfjABk7/bGxLSU9wv4dV+N
> 0foAoJ5qPOCkzsS/w0kvpuOzJdChMcCb
> =BJU2
> -----END PGP SIGNATURE-----
>