Welcome to Cyborg`s ICMP Section


Release 0.2

Why should we watch ICMP,
it`s just an Internet Control Message Packet?

That`s right, and icmp packet does not transport data , and we could not be exploited by an icmp packet. But icmp is often used to contact a hacked host because it`s an unshiny and unsuspicious packet. Mostly all DDOS Clients use icmp or more unused packet types to transport information from one host to another.

ICMPWatch 1.02 is a small tool which gets every icmp that is send to your computer and outputs the header of the ip packet like tcpdump ( but not the same layout ) . I would be happy if i would get the OUTGOING icmps too, without using miami.libs , which is not useable for other stacks, so it`s not implemented yet. Any suggestions ( working for all stacks !).

Warning: incoming Pings are handeld by miami alone!

The output is logged in amitcp:log/icmp.log but not accessible yet while the demon is running. The STDOUT is used too inform the user abut what happens right now. I wondered when miami says floodping detected, next time i will see what happens.

run <>nil: icmpwatch >kcon://640/30/icmpwatch/AUTO/WAIT/CLOSE

IcmpWatch is potentionaly able to analyse the ICMP data if it`s a normal packet for communication or if the packet is used to transport data. Each OS uses other algorithms to fill i.e. a ping. If the data does not match one of this signatures it could! be used from a ddos program. To determine if or if not is a statistical question and can only be answere after sending a lot of ping to and from different machines.

CMSG:

Everyone can now check the common technic used in DDOS with your Amiga, Admins don`t Panic it`s harmless. CMSG is the sender , icmpwatch the receiver. It`s totally easy to use and a very nice tool for internet communication.
Syntax: cmsg ip.a.dd.r Text to send max. 236 Byte

Icmpwatch has be started at the destination ip first. And you need cmsg there to answere the incomming msg`s. cmsg sends unencrypted text messages throu a firewall. This can only be happen if you , the admin of that firewall, let echo-reply in and out. You will be upset when you check the communication of cmsg with tcpdump, because you won`t see an suspicious data! Dump it to a file with snaplen 256 set and examine it there!

Lizenz for cmsg

CMSG taken from the Amiga Security Page http://www.oocities.org/SiliconValley/Bride/5737/security.html ******************************************************************** This software is for TESTING only! It`s ILLEGAL TO USE the code of CMSG without letting me know! The routines, concept and algorithems used in this program are copyrigthed. In clear words : It`s MINE! You are allowed to use this piece of software to develop a protection against it`s underlying mechanisms only. Further you are allowed to use it to check your firewall ( your OWN! Firewall ). What it can do: It penetrates firewalls that reject ICMP-Echo-Requests packets, but allow ICMP-Echo-Reply packets. It can be used to communicate throu firewalls undetected by programs like TCPDUMP. To make use of it you need the new version of icmpwatch. I could have encrypted the transported data , but that`s against the spirit of checking and testing only. REMEBER: Disassembling the code is not needed , just dump the network traffic to a file and examine it there. If you are not smart enough to rebuild it yourself, you are not the correct person to handle it! Cyborg - http://www.oocities.org/SiliconValley/Bride/5737/security.html

IcmpWatch is not able to find DDOS Attacks!

Even if you think that icmpwatch can handle DDOS packets, that`s not entirely true. The DDOS technic I used to demonstrate it, is adjusted to icmpwatch. DDOS tools use normally NOT UNCRYPTED packets. Icmpwatch will tell you any incoming packet if it reaches the icmpwatch rawport. It`s your turn to check out watch it is. If you are willing to help, send in as much icmpdumps as you can find from HPUX to IOS, Linux, BeOS.

Update:
Versionchanges
1.02reworked decoder routine bugs removed
NODECODE and NOCMSG as Options added
1.01added decode routine for CMSG
1.00forgot to add a date/time output to icmpwatch - fixed

Send Mail to Cyborg