如何构建伪造的ICMP“目标不可达"Type 3 Code 4 数据包 [英] How to build forged ICMP "Destination Unreachable" Type 3 Code 4 packet

问题描述

我创建了类型 3 和代码 4 的伪造目标无法到达的 ICMP(需要分段并且设置了 DF 位).我的设置有服务器、客户端和它们之间的切换.理想情况下，这个 ICMP 是由路由器/网关生成的，但我是在客户端生成的.我正在使用 Scapy 工具创建这个 ICMP.这是我的创建方式:

I have created forged destination unreachable ICMP with type 3 and code 4 (fragmentation needed and DF bit is set). My setup has Server, Client, and a switch between them. Ideally this ICMP gets generated by router/gateway but I'm generating this at client. I'm creating this ICMP using Scapy tool. Here is how I'm creating:

ip = IP()
icmp = ICMP()
# IP Packet sent to client
ip.dst = ip_server
ip.src = ip_client
ip.protocol = 1 #shows that ip header contains icmp as data 
# icmp type 3 + code 4 
icmp.type = 3
icmp.code = 4
mtu =1300
icmp.unused = mtu
#
# build original packet for ICMP ping request
#
ip_orig = IP()
ip_orig.src = ip_server
ip_orig.dst = ip_client
icmp_orig = TCP()
tcp_orig.sport = 50000 
tcp_orig.dport = 50000
tcp_orig.seq= original sequence number
#
# send the packet
#
send (ip/icmp/ip_orig/tcp_orig)

我正在遵循的步骤来演示此 ICMP 的效果:1> 服务器和客户端使用套接字相互通信2> 一旦服务器接受连接，我就会在机器上暂停 60 秒，在此期间我禁用所有从客户端机器发出的 TCP ACK(因为如果服务器收到它发送的消息的 ACK，那么它不会响应 ICMP).3> 服务器将它的第一条消息发送给客户端，但不会收到任何 ACK 并且服务器不断重新传输消息，同时我注入了上述 scapy 代码中提到的 ICMP 消息:send (ip/icmp/ip_orig/tcp/orig).我在发送的 icmp 中报告 MTU 1300.4> 理想情况下，服务器应该减少它的 MTU 并将消息发送回客户端，MTU 大小为 1300.

Steps I'm following to demonstrate the effect of this ICMP: 1> Server and client are talking to each other using sockets 2> As soon as server accepts the connection, I'm giving a 60 seconds pause in the machine during which I disable all the TCP ACKs going out of client machine (because if server receives ACKs for the message it sent then it wouldn't respond to ICMP). 3> Server sends it first message to client but won't receive any ACKs and server keeps re-transmitting the message, meanwhile I inject an ICMP message as mentioned in the above scapy code: send (ip/icmp/ip_orig/tcp/orig). I'm reporting MTU 1300 in the icmp i'm sending. 4> Ideally Server should reduce it's MTU and sends message back to client with MTU size of 1300.

但服务器不断重新传输 MTU 大小为 1500 的消息.请帮我解决这个问题.为什么服务器不减少它的 MTU?我在演示中做错了什么吗?任何帮助将不胜感激.

But Server keeps re-transmitting the message with MTU size 1500. Kindly help me with this. Why is server not reducing its MTU? Am I doing something wrong in my demonstration? Any help would be greatly appreciated.

推荐答案

我在这个答案 并在其评论中:

1. 规范要求封装在 ICMP 错误消息中的原始 IP 标头(即 ip_orig)与接收到的完全相同.因此，仅设置其源 IP 地址和目标 IP 地址(即分别为 ip_orig.src 和 ip_orig.dst)可能还不够.
2. 封装在 ICMP 错误消息中的原始 TCP 头的序列号(即 tcp_orig.seq)也应该设置，因为规范要求至少 8 个字节的有问题的数据包的 IP 层负载包含在 ICMP 错误消息中.
3. 验证是否启用了路径 MTU 发现并且设置了 DF 位.您可以使用 sysctl 启用路径 MTU 发现 -w net.ipv4.ip_no_pmtu_disc=0.
4. 确认没有任何防火墙和/或 iptables 规则阻止 ICMP 消息.

1. The specification requires that the original IP header that is encapsulated in the ICMP error message (i.e. ip_orig) is exactly identical to the one received. Therefore, setting just its source IP address and destination IP addresses (i.e. ip_orig.src and ip_orig.dst, respectively) is probably not enough.
2. The sequence number of the original TCP header that is encapsulated in the ICMP error message (i.e. tcp_orig.seq) should be set as well, since the specification requires that at least 8 bytes of the problematic packet's IP layer payload are included in the ICMP error message.
3. Verify that path MTU discovery is enabled and that the DF bit is set. You can enable path MTU discovery with sysctl -w net.ipv4.ip_no_pmtu_disc=0.
4. Verify that there isn't any firewall and/or iptables rule that blocks ICMP messages.

这篇关于如何构建伪造的ICMP“目标不可达"Type 3 Code 4 数据包的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！