Re: Ping TOS to test QOS... from Carlos G Mendioroz on 2009-04-27 (Ccielab archives 04/2009)

From: Carlos G Mendioroz <tron_at_huapi.ba.ar>
Date: Mon, 27 Apr 2009 18:49:02 -0300

FTR,
from PHRACK issue 57:

<quote>
* TOS field

    RFC 1349 defines the usage of the Type-of-Service field with the
    ICMP messages. It distinguishes between ICMP error messages
    (Destination Unreachable, Source Quench, Redirect, Time Exceeded,
    and Parameter Problem), ICMP query messages (Echo, Router
    Solicitation, Timestamp, Information request, Address Mask request)
    and ICMP reply messages (Echo reply, Router Advertisement, Timestamp
    reply, Information reply, Address Mask reply).
...
* An ICMP reply message is sent with the same value in the TOS
     field as was used in the corresponding ICMP request message.

Some operating systems will ignore RFC 1349 when sending ICMP echo
reply messages, and will not send the same value in the TOS field as
was used in the corresponding ICMP request message.
</quote>

The usage of such "inconsistencies" is normally referred to as "OS
fingerprinting" and is even used by cisco products to, e.g., alter the
level of ARR (attack relevancy rating) in IDS automatically.

-Carlos

Carlos G Mendioroz @ 26/04/2009 8:41 -0200 dixit:
> Pavel,
> ..."expect the reply to be also marked with "...
>
> I thought that this was dependent on the system that was replying.
> I don't have a reference, but would have said that this was one
> of the things nmap and others use to tell what OS is at the remote side.
>
> -Carlos
>
> Pavel Bykov @ 26/04/2009 4:55 -0200 dixit:
>> Along with good pointers others are giving remember, that ICMP ECHO REPLY
>> will be marked with the same DSCP ( and IPP and TOS*). So if you ping with
>> DSCP EF (TOS 184), expect the reply to be also marked with EF/184
>>
>> *almost always, except for ECN marked traffic. If the incoming DS Field
>> would have EC Capable and EC Congestion Experienced bits set, only one or
>> none of the bits would be marked in backwards direction, based on device
>> capability.
>>
>> On Wed, Apr 22, 2009 at 11:07 PM, Modular <modulartx_at_gmail.com> wrote:
>>
>>> I had a thought, (don't laugh, it happens), is it possible to use the TOS
>>> setting
>>> in extended Ping to test QOS classification? I did a little research on
>>> conversion
>>> of TOS byte setting to IPP or DSCP and the best I could come up with is
>>> that
>>> a TOS of 1 or 8 would convert to IPP 1 or DSCP 8? I played around with it
>>> for awhile, setting up a policy-map to match DSCP 1, DSCP 8 and IPP 1
>>> and then set to TOS in the extended ping on a different router to 1 and
>>> none of the class maps in the policy map had packet counts greater than 0.
>>>
>>> Either I'm converting TOS to IPP/DSCP wrong or I'm completely off base with
>>> this.?.?
>>>
>>>
>>> Bryan R.
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>

-- 
Carlos G Mendioroz  <tron_at_huapi.ba.ar>  LW7 EQI  Argentina
Blogs and organic groups at http://www.ccie.net

Received on Mon Apr 27 2009 - 18:49:02 ART

This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:13 ART