2015年5月26日 星期二

防火牆上常見ICMP訊息

ICMP type 11 Time exceeded message:

Code描述
0Time to live (TTL) equals 0 during transit.
1Fragment reassembly timeout.封包重組逾時

Code 0 說明
If the gateway processing a datagram finds the time to live field is zero it must discard the datagram. The gateway may also notify the source host via the time exceeded message.
Code 0 may be received from a gateway

在防火牆Log上常看到來自外部來的ICMP type 1 code 0的訊息,根據上述的說明,路由器在傳遞封包時,當TTL值為0時,路由器會丟棄封包,並回應來原主機ICMP type 1 code 0的訊息。
這個狀況會發生在DNS主機上,攻擊者倭造來源IP,對DNS主機發送查詢,DNS會將查詢的結果回應至來源IP,因為來源IP不存在,故封包經過路由器傳遞到TTL 為0時,變丟棄封包,並告知來原主機 ICMP type 11 code 0 ,表示該封包無法傳遞並告知來源IP。

ICMP type 3 Destination Unreachable
Code
Description
0
Network unreachable error.
路由器無法將封包傳遞至目標位址,通常是路由器無法將封包根據路由表傳遞至下一個路徑,故路由器會送出網路無法到達訊息。
1
Host unreachable error.
由路由器或Gateway送出,通常是無法存取該網段的某個主機。
2
Protocol unreachable error. 通訊協定錯誤,無法傳達。
Sent when the designated transport protocol is not supported.
3
Port unreachable error. 無法存取Port
Sent when the designated transport protocol is unable to demultiplex the datagram but has no protocol mechanism to inform the sender.
4
The datagram is too big.
Packet fragmentation is required but the DF bit in the IP header is set.
5
Source route failed error.
6
Destination network unknown error.
7
Destination host unknown error.
8
Source host isolated error.
Obsolete.
9
The destination network is administratively prohibited.
10
The destination host is administratively prohibited.
11
The network is unreachable for Type Of Service.
12
The host is unreachable for Type Of Service.
13
Communication Administratively Prohibited.
This is generated if a router cannot forward a packet due to administrative filtering.
14
Host precedence violation.
Sent by the first hop router to a host to indicate that a requested precedence is not permitted for the particular combination of source/destination host or network, upper layer protocol, and source/destination port.
15
Precedence cutoff in effect.
The network operators have imposed a minimum level of precedence required for operation, the datagram was sent with a precedence below this level.
16
-
255



2015年5月3日 星期日

Cisco NTP access type

IOS router defines the following four types of access for NTP:
1) Peer – permits router to respond to NTP requests and accept NTP updates. NTP control queries are also accepted. This is the only class which allows a router to be synchronized by other devices.
2) Serve – permits router to reply to NTP requests, but rejects NTP updates (e.g. replies from a server or update packets from a peer). Control queries are also permitted.
3) Serve-only – permits router to respond to NTP requests only. Rejects attempt to synchronize local system time, and does not access control queries.
4) Query-only – only accepts NTP control queries. No response to NTP requests are sent, and no local system time synchronization with remote system is permitted.