|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: usual iploggers miss some variable stealth scans
Subject: Re: usual iploggers miss some variable stealth scans
From: Theo de Raadt (deraadt
CVS.OPENBSD.ORG)
Date: Mon Jan 24 2000 - 00:19:49 CST
- Next message: Brock Sides: "majordomo 1.94.5 does not fix all vulnerabilities"
- Previous message: Jesper M. Johansson: "Re: Windows 2000 Run As... Feature"
- In reply to: antirez: "Re: usual iploggers miss some variable stealth scans"
- Next in thread: Andrea Gho: "Re: usual iploggers miss some variable stealth scans"
- Reply: Theo de Raadt: "Re: usual iploggers miss some variable stealth scans"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
As an aside to this discussion...
> Also it's possible to use the ID field of the IP protocol to check if
> some host are Win*, OpenBSD > 2.5 or Other using a few of often not logged
> packets. the Win* ID has different byte ordering, OpenBSD is truly-random
> and others incremental.
OpenBSD does not use a truly random sequence for this. The generator
used produces a non-repeating pseudo-random sequence. It will not
repeat the same number too close to when it was previously used.
We have reused the generator that we use for generating DNS packet
IDs.
Obviously, using a completely random sequence has problems. For
instance, the following sequence _could_ be generated by a
truly-random number generator:
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 1 1 1 98 7234
If the generator were to create such a sequence, and they were used as
IP ID values on a succession of packets, it could wreak havoc on
fragment reassembly at the destination.
- Next message: Brock Sides: "majordomo 1.94.5 does not fix all vulnerabilities"
- Previous message: Jesper M. Johansson: "Re: Windows 2000 Run As... Feature"
- In reply to: antirez: "Re: usual iploggers miss some variable stealth scans"
- Next in thread: Andrea Gho: "Re: usual iploggers miss some variable stealth scans"
- Reply: Theo de Raadt: "Re: usual iploggers miss some variable stealth scans"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Mon Jan 24 2000 - 19:27:38 CST