Bugtraq mailing list archives
Re: usual iploggers miss some variable stealth scans
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Sun, 23 Jan 2000 23:19:49 -0700
As an aside to this discussion...
Also it's possible to use the ID field of the IP protocol to check if some host are Win*, OpenBSD > 2.5 or Other using a few of often not logged packets. the Win* ID has different byte ordering, OpenBSD is truly-random and others incremental.
OpenBSD does not use a truly random sequence for this. The generator
used produces a non-repeating pseudo-random sequence. It will not
repeat the same number too close to when it was previously used.
We have reused the generator that we use for generating DNS packet
IDs.
Obviously, using a completely random sequence has problems. For
instance, the following sequence _could_ be generated by a
truly-random number generator:
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 1 1 1 98 7234
If the generator were to create such a sequence, and they were used as
IP ID values on a succession of packets, it could wreak havoc on
fragment reassembly at the destination.
Current thread:
- Re: usual iploggers miss some variable stealth scans David LeBlanc (Jan 18)
- <Possible follow-ups>
- Re: usual iploggers miss some variable stealth scans Hank Leininger (Jan 18)
- Re: usual iploggers miss some variable stealth scans Oliver Friedrichs (Jan 19)
- Re: usual iploggers miss some variable stealth scans Ralf Laue (Jan 21)
- Re: usual iploggers miss some variable stealth scans antirez (Jan 22)
- Re: usual iploggers miss some variable stealth scans Theo de Raadt (Jan 23)
- Security Bulletins Digest Aleph One (Jan 24)
- majordomo 1.94.5 does not fix all vulnerabilities Brock Sides (Jan 24)
- Re: majordomo 1.94.5 does not fix all vulnerabilities Chan Wilson (Jan 25)
- Re: majordomo 1.94.5 does not fix all vulnerabilities Dave Barr (Jan 25)
- Re: majordomo 1.94.5 does not fix all vulnerabilities Olaf Kirch (Jan 25)
- Re: majordomo 1.94.5 does not fix all vulnerabilities Martin Mares (Jan 25)