[unisog] RE: ICMP Worm activity?

J. Oquendo sil at infiltrated.net
Mon Nov 22 20:30:55 GMT 2004


> Is anyone aware of worm activity that randomly spoofs the source
> address, and the ICMP type in a DoS?

Offhand I know of no worm that does so, but it would not be a hard thing
to find and modify. I wrote a lame DoS as a proof of concept a while back
that could do it with minor tweaking

http://www.antioffline.com/TID/tidcmp

ip->saddr = random(); would likely do something funky like what you've
explained.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99

CA22 0619 DB63 F2F7 51F9 D78D
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

sil @ politrix . org    http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

"How can we account for our present situation unless we
believe that men high in this government are concerting
to deliver us to disaster?" Joseph McCarthy "America's
Retreat from Victory"



More information about the unisog mailing list