issues reg ICMP timestamp and address mask request - TCP-IP

This is a discussion on issues reg ICMP timestamp and address mask request - TCP-IP ; Greetings, I am trying to understand the ICMP timestamp (type 13) queries . There is a unix tool ICMP Query that can be used to send ICMP type 13 message (TIMESTAMP) and type 17 messages( ADDRESS MASK REQUEST) . When ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: issues reg ICMP timestamp and address mask request

  1. issues reg ICMP timestamp and address mask request

    Greetings,

    I am trying to understand the ICMP timestamp (type 13) queries .
    There is a unix tool ICMP Query that can be used to send ICMP
    type 13 message (TIMESTAMP) and type 17 messages( ADDRESS MASK
    REQUEST) .

    When I am sending ICMP type 13 queries on a Linux and Solaris
    machine , it is giving me the exact time of the remote machine.
    The following result shows that.

    ""
    [root@gdrd5 ~]# icmpquery -t 172.16.1.2
    172.16.1.2 :10:09:56
    [root@gdrd5 ~]# icmpquery -t 172.16.1.2
    172.16.1.2 :10:09:58
    ""

    The result is matching the time on the remote machine.

    But if I send the same request to a windows machine ,
    I am getting results which I am not able to interpret.The
    following are the results on a windows machine .

    [root@gdrd5 ~]# icmpquery -t 172.16.16.31
    172.16.16.31 : 08:52:31
    [root@gdrd5 ~]# icmpquery -t 172.16.16.31
    172.16.16.31 : 10:07:13
    [root@gdrd5 ~]# icmpquery -t 172.16.16.31
    172.16.16.31 : 19:43:24
    [root@gdrd5 ~]# icmpquery -t 172.16.16.31
    172.16.16.31 : 00:26:59

    Also I am not getting any result when I am sending
    ICMP type 17 messages (Address Mask) as the
    following result shows .

    [root@gdrd5 ~]# icmpquery -m 172.16.16.31
    [root@gdrd5 ~]# icmpquery -m 172.16.1.2
    [root@gdrd5 ~]# icmpquery -m 172.16.16.25
    Unknown ICMP message received (type 17)

    Is ICMP type 17 messages are not supported by OS these days .
    Because I had stopped the firewall on these systems and
    tried the test.But still not getting any reply for ICMP type 17
    message.

    Please help me in interpreting the ICMP timestamp result from a
    windows machine and also the reason why there is no response
    for ICMP Address Mask request.

    Cheers
    b zaman


  2. Re: issues reg ICMP timestamp and address mask request

    query.cdac@gmail.com writes:

    > But if I send the same request to a windows machine ,
    > I am getting results which I am not able to interpret.The
    > following are the results on a windows machine .


    First, there's an escape clause in RFC-792 that says the other machine
    doesn't *have* to use a standard timestamp. If so, it's supposed to
    set the high order bit. It's possible that's what's happening here
    (with or without the high order bit set).

    More likely, though, is that the windows implementation is broken and
    doesn't correctly byte swap the time stamp.

    > Is ICMP type 17 messages are not supported by OS these days .
    > Because I had stopped the firewall on these systems and
    > tried the test.But still not getting any reply for ICMP type 17
    > message.


    Only gateways (er, "routers", I mean) respond to ICMP type 17 messages.
    End systems are actually not supposed to reply to them, although many
    do.

    -don

  3. Re: issues reg ICMP timestamp and address mask request

    On Sep 12, 3:27 pm, don provan wrote:
    > query.c...@gmail.com writes:
    > > But if I send the same request to a windows machine ,
    > > I am getting results which I am not able to interpret.The
    > > following are the results on a windows machine .

    >
    > First, there's an escape clause in RFC-792 that says the other machine
    > doesn't *have* to use a standard timestamp. If so, it's supposed to
    > set the high order bit. It's possible that's what's happening here
    > (with or without the high order bit set).
    >
    > More likely, though, is that the windows implementation is broken and
    > doesn't correctly byte swap the time stamp.
    >
    > > Is ICMP type 17 messages are not supported by OS these days .
    > > Because I had stopped the firewall on these systems and
    > > tried the test.But still not getting any reply for ICMP type 17
    > > message.

    >
    > Only gateways (er, "routers", I mean) respond to ICMP type 17 messages.
    > End systems are actually not supposed to reply to them, although many
    > do.


    Greetings don ,

    Thanks for the reply.
    I tried to send ICMP type 17 messages to a router . But it is not
    responding.
    But the router is responding to ICMP Timestamp messages.

    But I got a reply from a solaris machine when I send the ICMP type
    17
    messages .

    [root@gdrd5 ~]# icmpquery -m 172.16.100.1
    172.16.100.1 : 0xFFFF0000

    Is it that for security reason most OS vendors disable this feature
    in the
    OS itself so that it does not respond to ICMP messages . But then the
    question comes
    Why solaris is responding to such request considering that UNIX are
    considered to
    be secure.
    Please clearify......

    Thanks in Advance.









  4. Re: issues reg ICMP timestamp and address mask request

    query.cdac@gmail.com writes:

    > I tried to send ICMP type 17 messages to a router . But it is not
    > responding.


    Well, it's not quite required. Type 17 wasn't in the original ICMP
    spec, so it may have been overlooked, or someone decided it wasn't
    worth it.

    > But the router is responding to ICMP Timestamp messages.


    Timestamp *was* in RFC-792, and that spec generally makes it sound
    like it's required.

    > But I got a reply from a solaris machine when I send the
    > ICMP type 17 messages.


    UNIX network code of all stripes tend to be routing capable, and many
    act like routers even when they are not.

    > Is it that for security reason most OS vendors disable this
    > feature in the OS itself so that it does not respond to ICMP
    > messages.


    That's my understanding, although you seem to be running more into the
    fact that not everything is implemented everywhere.

    > But then the question comes Why solaris is responding to
    > such request considering that UNIX are considered to be
    > secure.


    LOL! Good one! No, UNIX network has historically been something that
    worries more about convenience and than security. Of course, there's a
    lot of security on UNIX now in modern systems, but the legacy of
    friendly openness left behind a distinct immunization against being
    anal, so things such as ICMP that many didn't think was a serious
    threat, so most UNIX's tend to respond, by default.
    -don

  5. Re: issues reg ICMP timestamp and address mask request

    In article ,
    don provan wrote:

    >> Is it that for security reason most OS vendors disable this
    >> feature in the OS itself so that it does not respond to ICMP
    >> messages.

    >
    >That's my understanding, although you seem to be running more into the
    >fact that not everything is implemented everywhere.
    >
    >> But then the question comes Why solaris is responding to
    >> such request considering that UNIX are considered to be
    >> secure.

    >
    >LOL! Good one! No, UNIX network has historically been something that
    >worries more about convenience and than security. Of course, there's a
    >lot of security on UNIX now in modern systems, but the legacy of
    >friendly openness left behind a distinct immunization against being
    >anal, so things such as ICMP that many didn't think was a serious
    >threat, so most UNIX's tend to respond, by default.


    There is sense in that, but I'm concerned by what might be read as
    support for the stupid idea that turning off ICMP responses has anything
    to do with improving system or network security. There are plenty of
    stupid frauds that call themselves security experts and consultants
    that peddle that nonsense. If they were not stupid, they'd stay around
    after getting their victims to turn off all of ICMP to charge for the
    advice to turn back on the ICMP types whose lack causes blackholes and
    other TCP problems.

    Consider why a bad guy can or cannot do depending on whether 17 and 18
    are disabled. Knowing the target's netmasks, a bad guy might play games
    with directed broadcasts. However, the worst that disabled (or
    unsupported) 17 and 18 cause for the bad guy is needing to make fewer
    than a couple dozen guesses. There are some ICMP responses including
    5 that are worrisome, but even they are quite valuable and should not
    be blocked from their legitimate sources.


    Vernon Schryver vjs@rhyolite.com

+ Reply to Thread