如何构建伪造的ICMP“目标不可达"Type 3 Code 4 数据包 [英] How to build forged ICMP "Destination Unreachable" Type 3 Code 4 packet
问题描述
我创建了类型 3 和代码 4 的伪造目标无法到达的 ICMP(需要分段并且设置了 DF 位).我的设置有服务器、客户端和它们之间的切换.理想情况下,这个 ICMP 是由路由器/网关生成的,但我是在客户端生成的.我正在使用 Scapy 工具创建这个 ICMP.这是我的创建方式:
I have created forged destination unreachable ICMP with type 3 and code 4 (fragmentation needed and DF bit is set). My setup has Server, Client, and a switch between them. Ideally this ICMP gets generated by router/gateway but I'm generating this at client. I'm creating this ICMP using Scapy tool. Here is how I'm creating:
ip = IP()
icmp = ICMP()
# IP Packet sent to client
ip.dst = ip_server
ip.src = ip_client
ip.protocol = 1 #shows that ip header contains icmp as data
# icmp type 3 + code 4
icmp.type = 3
icmp.code = 4
mtu =1300
icmp.unused = mtu
#
# build original packet for ICMP ping request
#
ip_orig = IP()
ip_orig.src = ip_server
ip_orig.dst = ip_client
icmp_orig = TCP()
tcp_orig.sport = 50000
tcp_orig.dport = 50000
tcp_orig.seq= original sequence number
#
# send the packet
#
send (ip/icmp/ip_orig/tcp_orig)
我正在遵循的步骤来演示此 ICMP 的效果:1> 服务器和客户端使用套接字相互通信2> 一旦服务器接受连接,我就会在机器上暂停 60 秒,在此期间我禁用所有从客户端机器发出的 TCP ACK(因为如果服务器收到它发送的消息的 ACK,那么它不会响应 ICMP).3> 服务器将它的第一条消息发送给客户端,但不会收到任何 ACK 并且服务器不断重新传输消息,同时我注入了上述 scapy 代码中提到的 ICMP 消息:send (ip/icmp/ip_orig/tcp/orig).我在发送的 icmp 中报告 MTU 1300.4> 理想情况下,服务器应该减少它的 MTU 并将消息发送回客户端,MTU 大小为 1300.
Steps I'm following to demonstrate the effect of this ICMP: 1> Server and client are talking to each other using sockets 2> As soon as server accepts the connection, I'm giving a 60 seconds pause in the machine during which I disable all the TCP ACKs going out of client machine (because if server receives ACKs for the message it sent then it wouldn't respond to ICMP). 3> Server sends it first message to client but won't receive any ACKs and server keeps re-transmitting the message, meanwhile I inject an ICMP message as mentioned in the above scapy code: send (ip/icmp/ip_orig/tcp/orig). I'm reporting MTU 1300 in the icmp i'm sending. 4> Ideally Server should reduce it's MTU and sends message back to client with MTU size of 1300.
但服务器不断重新传输 MTU 大小为 1500 的消息.请帮我解决这个问题.为什么服务器不减少它的 MTU?我在演示中做错了什么吗?任何帮助将不胜感激.
But Server keeps re-transmitting the message with MTU size 1500. Kindly help me with this. Why is server not reducing its MTU? Am I doing something wrong in my demonstration? Any help would be greatly appreciated.
推荐答案
我在这个答案 并在其评论中:
- 规范要求封装在 ICMP 错误消息中的原始 IP 标头(即
ip_orig
)与接收到的完全相同.因此,仅设置其源 IP 地址和目标 IP 地址(即分别为ip_orig.src
和ip_orig.dst
)可能还不够. - 封装在 ICMP 错误消息中的原始 TCP 头的序列号(即
tcp_orig.seq
)也应该设置,因为规范要求至少 8 个字节的有问题的数据包的 IP 层负载包含在 ICMP 错误消息中. - 验证是否启用了路径 MTU 发现并且设置了
DF
位.您可以使用sysctl 启用路径 MTU 发现 -w net.ipv4.ip_no_pmtu_disc=0
. - 确认没有任何防火墙和/或 iptables 规则阻止 ICMP 消息.
- The specification requires that the original IP header that is encapsulated in the ICMP error message (i.e.
ip_orig
) is exactly identical to the one received. Therefore, setting just its source IP address and destination IP addresses (i.e.ip_orig.src
andip_orig.dst
, respectively) is probably not enough. - The sequence number of the original TCP header that is encapsulated in the ICMP error message (i.e.
tcp_orig.seq
) should be set as well, since the specification requires that at least 8 bytes of the problematic packet's IP layer payload are included in the ICMP error message. - Verify that path MTU discovery is enabled and that the
DF
bit is set. You can enable path MTU discovery withsysctl -w net.ipv4.ip_no_pmtu_disc=0
. - Verify that there isn't any firewall and/or iptables rule that blocks ICMP messages.
这篇关于如何构建伪造的ICMP“目标不可达"Type 3 Code 4 数据包的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!