ICMP IP 'ID' Field Error Message Probe |
| Attack Pattern ID: 332 (Detailed Attack Pattern) | Typical Severity: Low | Status: Draft |
DescriptionSummary
An attacker sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. The internet identification field (ID) is typically utilized for reassembling a fragmented packet. RFC791 and RFC815 discusses about IP datagrams, fragmentation and reassembly. Some operating systems or router firmware reverse the bit order of the ID field when echoing the IP Header portion of the original datagram within the ICMP error message. There are 3 behaviors that can be used to distinguish remote operating systems or firmware.
1.The IP ID field is echoed back identically to the bit order of the ID field in the original IP header.
2.The IP ID field is echoed back, but the byte order has been reversed.
2.The IP ID field contains an incorrect or unexpected value.
Different operating systems will respond by setting the IP ID field differently within error messaging. This allows the attacker to construct a fingerprint of specific OS behaviors.
Target Attack SurfaceTarget Attack Surface Description
Targeted OSI Layers: Network Layer
Target Attack Surface Localities
Target Attack Surface Types: Host
Target Functional Services
| Target Functional Service 1: None | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Protocol 1: ICMP | ||||||||||||||||||
| ||||||||||||||||||
Attack PrerequisitesThe ability to send a UDP datagram to a closed port and recieve an ICMP Error Message Type 3, "Port Unreachable.
Related Attack Patterns| Nature | Type | ID | Name | Description | View(s) this relationship pertains to |
|---|---|---|---|---|---|
| ChildOf |  Attack Pattern | 316 | ICMP Fingerprinting Probes | Mechanism of Attack (primary)1000 |
References
