The discovery process of the special case-MTU path ICMP "Requires Storage Debris but does not set bit fragment" and MTU discovery process When a host sends data to another, data is propagated in a series of IP packets. We hope that the packet is the maximum block along the path from the message provider to the destination. Some problems generated by splitting from the IP layer:. If a data packet is lost, we need to broadcast the entire packet. . Storage fragments are required on the router. Because some simpler firewalls are filtered out for a higher layer protocol, they do not include head information, so all fragments will be blocked. . Maximum Transfer Unit (MTU) is a link layer that limit the maximum number of data bytes of a single transmission. . Any least the least MTU link on the current path between the two hosts is called a path MTU. 2.3.1? The discovery process of the MTU path We use the non-fragmented bit to dynamically discover a path MTU tag of a given line as dynamically of IP header information. The message provider undertakes a path to the PMTU of the known MTU's first interrupt section. He needs to send all packets and set non-segment. If there is a router along the path of the destination host, there is a router to the segment to pass it to the next interrupt section. If the non-segment bit is set, a ICMP error message will be generated (Type 3 Code 4 "section needs and DF settings") . The assumed PMTU should be reduced when sending a host to receive an ICMP error message. The process can end when the estimated PMTU is sufficiently low. At some time, the data package is formed, and the message provider can stop the process. The DF bit is usually installed in all packets, if a route changes a host, and the PMTU is lowered, we can find it to discover it. ???? Since the topology of the routing changes, a path-pmtu may increase. In order to be able to detect it, the sending host should periodically increase the assumed PMTU for this link. The error message "Debris Storage Required and DF Settings" in the MTU link field in ICMP carries the MTU jump, so that the source host can know that the accurate value of the transfer of the packet is allowed to set the accurate value of the transfer of the packets other than the PMTU (router) without fragmentation . 2.3.2 ?? Host indicates that a host must receive a related path to receive the need and the ICMP of the DF bit "ICMP" by the error "fragment reduces his estimated PMTU. RFC 1191 does not describe the detailed behavior of the transmit host expectations, as different applications can have different requirements, and different implementation architectures can support different strategies. The only required behavior is that a host must try to avoid more messages with the same PMTU in the near future. A host can also stop setting in the fragment storage bit of the IP header information (and the router allows fragmentation under this method) or reduces the size of the packet size. Because fragments will cause more traffic and consume more Internet resources, some strategies are to reduce the size of the message packet. The reduction in the MTU path must be detected as fast as possible using the PMTU discovery process. One host can increase the increase in Packet detection path MTU greater than the current PMTU, so that PMTU generally does not increase, but is rejected by some routers to a destination host. From this will generate transmission back to the host, there must be an inspection in a short interval. RFC specifies that the detection increase cannot be less than 10 minutes before the packet received by the destination host or before 2 minutes after the trial. Send the host, you must know how to deal with how to deal with how to deal with the PMTU protocol and not in the error message includes The ICMP of the "Split Needs and DF Bit Error Messages" sent by the next hop MTU. There are some ways to be implemented:. The PMTU should be set to the minimum and 576? 16 between the currently assumed PMTU. . The DF bit should not be set on the path of transmitting unknown packets.. Find the most accurate value for the PMTU on a path. . We keep sending a packet until a reduced PMTU setting until a DF bit that is no longer received by ICMP errors. . One host cannot reduce the estimation of the path MTU value below 68 bytes. . A host cannot add the estimation of the path MTU on the reflection of the data package too much information. ? 2.3.3 Router Description? Because it exceeds the MTU of the next hop network, the router cannot submit a packet and the fragment bits are not set, he is asked to generate an ICMP target that cannot be reached by the source to the source of data exchange. The data source has a suitable code display "The desired broken and the fragmentation is not set". In the error message, the router must include 16bit MTU in the error message.
0 ???????????????????? 8 ????????????????????? ???????????????????????? 31type = 3? Code = 4? Checksumunused (zero)? Link Mtuip Header * 64 Bits of Original Data of The DataGram Illustration 11: ICMP Storage Debris and MTU Connection requirements • The next hopping MTU field value should be set on the byte of the maximum packet that can be submitted, along the path of the original packet, is not broken by the router. The size includes IP data headers and IP data and standard headers without the lower part. Because each router should be able to submit 68 bytes of packets without splitting, the Connection MTU domain should not be less than 68. 2.3.4 MSS (Maximum Segment Length) Select and MTU Path Discovery Process RFC regulations Unless the host is received, the host that is doing path MTU discovery cannot be sent more than 576 bytes. When we are establishing TCP, connecting both parties specify the maximum number of data in packets that should be transmitted by the long size of the remote system, MISS (if one of the end does not define MSS, it will be more than it to 536 Number of other ends of the end of the end). The resulting packet will be usually 40 bytes of SS; 20 bytes of the IP header and 20 bytes of TCP headers. Most systems specify that MSS is determined by the MTU interface, which is a remote system and system communication. MSS that receives other ports each port should not send a larger frame than MSS, and the PMTU is not considered. After receiving, the path MTU finding process will begin to be affected. We will send an IP packet, which has a bit setting that allows us to recognize the point to the destination path, and the destination path cannot handle a larger packet with 40 bytes. When such an ICMP error message arrives, we should reduce the PMTU to a path (depending on the MTU resource, or if it is not used, the original implementation use rules) and resend. The Connection value of the MTU cannot be the high MSS higher than the target. When the ICMP type 3 code 4 error message occurs, the crowd of the Windows window will not change, but the start will be slow. The process continues until we adjust a correct PMTU path (do not receive ICMP error messages sent from the middle router), which will allow us to be more efficient than the IP layer. Using ICMP 3.0 Host Detection Protocol, the host can detect a malicious computer attacker on the Internet to reach the key to the host key on the indicated network. This process belongs to one of the first floors of the information collected together on the scan layer. process. The information collected between this layer can result in a (or more) network computer attempt to be truncated. If the information collected is enough to provide possible possible computer attackers. In this section I will discuss the host using the ICMP protocol detection method. I will also introduce some techniques in this regard. Now there is no integrated ICMP detection request message tool inside the operating system, so we will use third-party applications to implement this feature. Different ICMP operating system core detection mechanisms are typically called by operating system rather than by one user. If the ICMP detection and reply mechanism is enabled by the operating system, the operating system core will answer the inquiry. We can explain the detection and reply of address masking through a good example. 3.1 ICMP Response (Type 8) and Response Reply (Type 0) We can use the ICMP response to determine if a target IP address is activated response packet, the judgment method is by sending a simple ICMP response 18 (ICMP type 8) packet Go to the destination system and wait for the ICMP response reply (ICMP type 0) whether it is received. If an ICMP response reply is received, this will display the target is activated (because the general firewall rarely deceives the ICMP response from the protected host); if there is no reply, it means that ICMP sent to the P Internet target device is blocked from The protected network or the reverberation data package that is protected by the filtered device will stop the start-up reply 0 or the target device has stopped. If a destination host is achievable, use "ping" utility. In the next example 2 Linux machines indicate "ping" usage.
One based on core 2.4.2 (172.18.2.201), another core 2.2.16 (172.18.2.200): [root @ godfather / root] # ping 172.18.2.200 ping 172.18.200 (172.18.2.200) from 172.18.2.201 : 56 (84) bytes of data 64 bytes from 172.18.2.200:. icmp_seq = 0 ttl = 255 time = 617 usec 64 bytes from 172.18.2.200: icmp_seq = 1 ttl = 255 time = 2.489 msec64 bytes from 172.18.2.200: icmp_seq = 2 ttl = 255 time = 2.499 msec 64 bytes from 172.18.2.200: icmp_seq = 3 ttl = 255 time = 2.499 msec --- 172.18.2.200 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round -Trip Min / AVG / MAX / MDEV = 0.617 / 2.026 / 2.499 / 0.813 ms
The Snort Trace 19: 05/14/01-11: 55/14/2.201 -> 172.18.2.200 ICMP TTL: 64 TOS: 0x0 ID: 0 Iplen: 20 DGmlen: 84 DF TYPE: 8 Code: 0 ID: 58628 SEQ: 768 ECHO 82 9D FF 3A 5C 9E 02 00 08 09 0A 0B 0C 0D 0E 0F ...: / ........... 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1f ................ 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F! "# $% & '() * , -. / 30 31 32 33 34 35 37 0123456705 / ICMP TTL: 255 TOS: 0x0 ID: 769 Iplen: 20 DGmlen: 84 14 / 01-11: 55: 30.171542 172.18.2.200 -> 172.18.2.201type: 0 Code: 0 ID: 58628 SEQ: 768 echo reply 82 9D FF 3A 5C 9E 02 00 08 09 0A 0B 0C 0D 0E 0F ...: / ........... 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1e 1f ................ 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F! "# $% & '() * , -. / 30 31 32 33 34 35 36 37 012345670 ????????? 8 ?????????????????? 16?? ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????. Or firewalls to your network from the ICMP block request 20 from the Internet. You can also set the host without answering the ICMP response request. 3.2? ICMP Scan ("Ping" Scan) Multi-query uses ICMP response requests based on "ICMP Scan" (Ping Scan). "Ping" is a small network to relay is an acceptable solution to this host detection, but this test with big networks (such as Class A or intact Class B) is quite slow because they continue to The next IP address pointed to by the next suspicious IP address, "ping" needs to wait for a reply (or if the reply arrives has timeout). FPING 21 is a utility that can send ICMP response requests in the UNI operating system so that he is much faster than ordinary "ping" tools, and it can also be added with an IP address package. Gping is used to generate a table that is encapsulated into the IP address of the FPIN or is directly generated from one file, and the ICMP scan is implemented. If you can use FPING, you can also solve the host name of the pricing machine - D Select the problem. Another UNIX tool can perform ICMP scan in parallel mode, solve the host name of the probe machine, which saves a file and most of NMAP? 22, written by Fyodor. For the Microsoft Windows operating system, a famous ICMP sweep tool is the Pinger, which can make this scan made by FPING and NMAP, and try to solve the detection machine to discover the negative of the attacker's IP address in exploration. The computer, the record file of the authoritative DNS server that points to the network. The next example indicates that the NMAP usage is used to scan a Class C network. Our laboratory contains a number of testing machines giving Microsoft Windows 2000 and some Linux-based machines, and all networked devices will be combined.
-sp selection indicates that the NMAP is implemented "ping" scan. - PI Selection indicates that NMAP only sends a real ICMP response request. The default setting is the usage of the ICMP that uses-SP selection and response requests that includes TCP® ACK host detection technology. [root @ godfather / root] # nmap -sp -pi 172.18.2.1-254 Start NMAP V. 2.54beta22 (www.insecure.org/nmap/) Host T (172.18.2.29) APPEARS To BE UP. Hostx30.sys- Security.com (172.18.2.30) APPEARS TO BE UP. Host X31.s-security.com (172.18.2.31) APPEARS TO BE UP. Host X32.Sys-security.com (172.18.2.32) APPEARS TO BE UP. HOST X34.Sys-security.com (172.18.2.34) APPEARS TO BE UP. Host x35.s-security.com (172.18.2.35) APPEARS to Be Up. Host x36.s-security.com (172.18.2.36) APPEARS TO Be up. Host (172.18.2.38) APPEARS TO BE UP. Host X40.SYS-SECURITY.com (172.18.2.40) APPEARS TO BE UP. Host x41.sys-security.com (172.18.2.41) APPEARS TO BE UP. ... NMAP running completed - 254 IP address (93 hosts) Complete scan in 59 seconds, if the scan failed we can only see the IP address. If NMAP successfully solves the host's IP, we can see the host name and IP address at the same time. If we want to avoid automatic resolution, we should use - N choice. [root @ godfather / root] # nmap -n -sp -pi 172.18.2.1-254starting NMAP V. 2.54beta22 (www.insecure.org/nmap/) Host (172.18.2.29) APPEARS TO BE UP. Host (172.18. 2.30) APPEARS TO BE UP. HOST (172.18.2.32) APPEARS TO BE UP. Host (172.18.2.34) APPEARS TO BE UP. Host (172.18.2.35) APPEARS TO BE UP Host (172.18.2.38) APPEARS TO BE UP. Host (172.18.2.40) APPEARS TO BE UP. Host (172.18.2.41) APPEARS TO BE UP. ... NMAP Run Completed - 254 IP addresses (93 hosts) Distinguished in 32 seconds, we can see that this result is much faster than not automatically solving. ICMP scans should be easily detected by an intrusion detection system to be sent to whether or not it is used under a conventional method, or it is used under a parallel method. Agreement: Send ICMP response requests to send to your network in your border router or firewall. You can also set the host without answering the ICMP response request. 3.3 ICMP Broadcasting to the destination map of the host on the network can have a simple approach - send an ICMP response request broadcast to the entire network, which will broadcast to all hosts on the point to all. The activated host will send an ICMP response to the source IP address (additional conditions apply here), and the malicious computer attacker can only send only one package to implement this behavior.
This technique for host detection is only for some UNIX and similar UNIX operating systems. Microsoft Windows-based machines will not produce (ICMP response reply) to an ICMP response request, but a broadcast address or reply to the network address of their network. They are set to not answer those inquiry (this applies to all Microsoft Windows accepted by Microsoft Windows NT 4.0). If we send an ICMP response to a request broadcast or anomotive behavior of an IP address, the host can discard the IP address when the IP is multi-point transmission, which is not an abnormal behavior in the RFC1122 24 states. The next example indicates that the behavior should be implemented when sending an ICMP response request to the broadcast address of their network. This is a query reply based on Liunx-based machines in our laboratory: (172.18.2.200, 172.18.2.201), network equipment (172.18.2.29, 172.18.2.254).? Microsoft Windows 2000 and Microsoft Windows 2000 (SP1 patch) ignore requests : [root @ localhost / root] # ping -b 172.18.2.255 WARNING: pinging broadcast address PING 172.18.2.255 (172.18.2.255) from 172.18.2.201: 56 (84) bytes of data 64 bytes from 172.18.2.201:. icmp_seq = 0 TTL = 255 TIME = 6.380 msec 64 bytes from 172.18.2.200: ICMP_SEQ = 0 TTL = 255 TIME = 6.444 msec (dup!) 64 bytes from 172.18.2.254: ICMP_SEQ = 0 TTL = 255 TIME = 6.469 msec (DUP! 64 bytes from 172.18.2.29: ICMP_SEQ = 0 TTL = 64 Time = 6.493 MSEC (DUP!) ...--- 172.18.255 ping statistics --- 5 Packets Transmitted, 5 Packets Received, 15 Duplicates, 0% Packet Loss Round-Trip Min / AVG / MAX / MDEV = 5.629 / 5.875 / 6.493 / 0.299 MS In the next example I sent an ICMP response request to a network destination address, here we can see a slightly different behavior mode Produced.
We use Linux machines, when other networked devices did not produce a reply, the Cisco catalyst 6500 switch (172.18.2.254) answered our inquiry: [root @ godfather / root] # ping -b 172.18.2.0 Warning: Pinging Broadcast Address ping 172.18.2.0 (172.18.2.0) from 172.18.2.201: 56 (84) bytes of data.64 bytes from 172.18.2.201: ICMP_SEQ = 0 TTL = 255 TIME = 5.755 msec 64 bytes from 172.18.2.200: ICMP_SEQ = 0 TTL = 255 TIME = 6.034 msec (dup!) 64 bytes from 172.18.2.254: ICMP_SEQ = 0 TTL = 255 TIME = 6.286 MSEC (DUP!) ...--- 172.18.2.0 ping statistics --- 3 packets transmitted, 3 Packets Received, 6 Duplicates, 0% Packet Loss Round-Trip Min / Avg / Max / MDEV = 4.395 / 5.185 / 6.286 / 0.648 MS? When it is lower than list 10, a fairly precise operating system list is for their own network. (Or broadcast) may reply to an ICMP response request, but which operating system can reply to the ICMP response request sent by the aiming network? Anti-action: IP guidance blocks broadcast on your border router. You can also set up the host that does not answer the broadcast address of their network to aimed at the ICMP response request. ???????????????????????????????
?
?
?