myNetWatchman KnowledgeBase
Pooling knowledge to
secure the internet.
|
 |
Created: 10-Apr-2001
Modified: 10-Apr-2001
By: Lawrence Baldwin
I had been wondering how much protection personal firewalls provide against
potential attacks that target non-standard IP protocol types. Below is
an IP-within-IP Encapsulation Protocol packet (IP Protocol = 94) which I received
today...my personal firewall didn't even log it...I just happened to have my
analyzer running and caught it.
Pretty neat to see TWO IP headers in one packet. I have no idea exactly what
uses this protocol (suspect some kind of VPN or tunneling product) nor what
vulnerabilities this person might be looking for.
Note: My connection is PPPoE over ADSL (hence the PPP headers below).
Frame Status Source Address Dest. Address Size Rel. Time Delta Time Abs. Time Summary
33 [192.204.142.21] [208.61.48.60] 153 0:01:43.372 0.036.107 04/10/2001 03:52:41 PM IP: D=[60.22.0.0] S=[80.24.71.206] LEN=1625 ID=55186
DLC: ----- DLC Header -----
DLC:
DLC: Frame 33 arrived at 15:52:41.3128; frame size is 153 (0099 hex) bytes.
DLC: Destination = Station Intel 22B210
DLC: Source = Station 001067008D8A
DLC: Ethertype = 8864
DLC:
PPPOE: ----- PPPoE Header -----
PPPOE:
PPPOE: Ethernet Type= (0x8864) "PPP Session Stage"
PPPOE: Version = 1
PPPOE: Type = 1
PPPOE: Code = 0
PPPOE: Session ID = 12347
PPPOE: Payload length = 133
PPPOE: --- Payload In Session Stage---
PPPOE:
PPP: ----- Point-to-Point Protocol -----
PPP:
PPP: Protocol = 0021 (Internet)
PPP:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = ECT bit - transport protocol will ignore the CE bit
IP: .... ...0 = CE bit - no congestion
IP: Total length = 131 bytes
IP: Identification = 2987
IP: Flags = 0X
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 240 seconds/hops
IP: Protocol = 94 (IPIP)
IP: Header checksum = 6F16 (correct)
IP: Source address = [192.204.142.21]
IP: Destination address = [208.61.48.60]
IP: No options
IP:
IP: ----- IP Header -----
IP:
IP: Version = 0, header length = 20 bytes
IP: Version number should be 4!
IP: Type of service = 48
IP: 010. .... = immediate
IP: ...0 .... = normal delay
IP: .... 1... = high throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = ECT bit - transport protocol will ignore the CE bit
IP: .... ...0 = CE bit - no congestion
IP: Total length = 1645 bytes
IP: Identification = 55186
IP: Flags = 8X
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 27664 bytes
IP: Time to live = 6 seconds/hops
IP: Protocol = 117 (?)
IP: Header checksum = 0FBD, should be B4C3
IP: Source address = [80.24.71.206]
IP: Destination address = [60.22.0.0]
IP: No options
IP:
ADDR HEX ASCII
0000: 00 a0 c9 22 b2 10 00 10 67 00 8d 8a 88 64 11 00 | ."...g.d..
0010: 3b 30 00 85 00 21 45 00 00 83 0b ab 00 00 f0 5e | ;0..!E.....^
0020: 6f 16 c0 cc 8e 15 d0 3d 30 3c 05 48 06 6d d7 92 | o.̎.=0<.H.mג
0030: 8d 82 06 75 0f bd 50 18 47 ce 3c 16 00 00 3a 7d | .u.P.G<...:}
0040: e0 7e bc 0e 05 15 08 a6 64 29 6f 1d 89 c5 ed bf | ~....d)o.
0050: 29 30 88 c9 ab 12 e7 89 55 93 3a 0b 55 14 9a b0 | )0ɫ.U:.U.
0060: e4 32 92 e0 c1 c1 fa 70 c9 07 1a c2 25 1c e6 85 | 2p..%.
0070: 22 44 27 d6 63 a0 bd 80 8c 28 7d af d4 7d 72 74 | "D'c(}}rt
0080: 8e 1c 41 23 6c 51 e0 bc a9 3d 2d d4 56 c6 37 98 | .A#lQ༩=-V7
0090: 57 14 18 48 af bc 88 37 f3 | W..H7
Back to SecKB
|
