Bugtraq mailing list archives
more about IP ID
From: antirez () INVECE ORG (antirez () INVECE ORG)
Date: Sat, 20 Nov 1999 18:53:14 +0100
Hi, some little new ideas about IP ID issue: The first is about linux firewalling: since it increase IP ID global counter even if an outgoing packet will be filtered we are able, for example, to scan UDP ports even if ICMP type 3 output is DENY, and in general it is possible to know when TCP/IP stack reply a packet even if the reply is dropped. I think (but not tested) that this is true for almost all firewalls. The second issue concern the ability to uncover firewall rules. For example it is travial to know if host A filter packets from the IP X.Y.Z.W monitoring IP ID incresing of host A or host with X.Y.Z.W address (this changes if we are interested to know input or output rules) and sending packets that suppose some reply. Also this is related with the ability to scan the ports of hosts that drop all packets with a source different than host.trusted.com. There are others stuff like this but they are only different faces of the same concepts. Some people thinks that this kind of attacks isn't a "real world" attacks, I'm strongly interested to know what's bugtraq readers opinion (IMO this kind of attacks are feasible and usefull for an attacker. For exaple the ability to scan the ports with only spoofed packets and the ability to guess remote hosts traffic are a lot real). ciao, antirez
Current thread:
- BindView Security Advisory: SSR Denial of Service, (continued)
- BindView Security Advisory: SSR Denial of Service BindView Security Advisory (Nov 24)
- Re: BindView Security Advisory: SSR Denial of Service Alan Cox (Nov 24)
- Oracle 8i questions Brock Tellier (Nov 23)
- Printer Vulnerabilities (Tektronix and JetDirect) Elias Levy (Nov 23)
- Re: local users can panic linux kernel (was: SuSE syslogd advisory) Darren Reed (Nov 20)
- Re: local users can panic linux kernel (was: SuSE syslogd advisory) Cy Schubert - ITSD Open Systems Group (Nov 23)
- Re: local users can panic linux kernel (was: SuSE syslogdadvisory) Jefferson Ogata (Nov 23)
- Re: local users can panic linux kernel (was: SuSE syslogdadvisory) Shafik Yaghmour (Nov 23)
- Re: local users can panic linux kernel (was: SuSE syslogdadvisory) Olaf Kirch (Nov 24)
- Re: local users can panic linux kernel (was: SuSE syslogdadvisory) Goetz Babin-Ebell (Nov 24)
- more about IP ID antirez () INVECE ORG (Nov 20)
- FreeBSD sysinstall Jonas Eriksson (Nov 20)
- Re: local users can panic linux kernel (was: SuSE syslogd advisory) Malcolm Beattie (Nov 22)
- DNA-1999-001: NetTerm FTP Daemon vulnerabilities Jeremy Iverson (Nov 22)
- Microsoft Security Bulletin (MS99-043) Aleph One (Nov 17)
- Re: Microsoft Security Bulletin (MS99-043) John Madden (Nov 18)