icmp scans - what about fragmented ICMP packets ?

Darren Reed darrenr@reed.wattle.id.au
Fri, 13 Nov 1998 20:12:10 +1100 (EST)


In some email I received from Pawel Maciejewski, sie wrote:
> 
> Hello again
> 
> I wonder is it possible (and usefull) to fragment ICMP packets (in ex. ICMP
> echo request). Some firewalls (like sinus 0.2.9 if im not wrong) doesn't
> like fragmented packets at all - if they don't know what to do with them,
> they just drop or let them pass (of course it also may depends on few other
> things in ex. kernel configuration). So it can be really nice way to scan
> which hosts are alive behind the wall (when the wall has the blocked all
> incoming ICMP packets, but let fragmented packets pass), and can be a
> background for a next stage of attack.

any packets which are fragmented within the transport header, regardles of
the protocol, should be treated the same.

darren

p.s. please watch how big your cc lists get.