Nmap Development mailing list archives
Re: allow_ipid_match causing replies to be ignored
From: Fyodor <fyodor () insecure org>
Date: Fri, 12 Jun 2009 00:04:55 -0700
On Thu, Jun 11, 2009 at 04:54:12PM -0600, David Fifield wrote:
So, that's the problem, what's the solution? allow_ipid_match should default to accepting packets, otherwise it can be fooled when there's not much data. It should reject a packet only when the ratio of bogus to the total is low and a certain large number of packets have been received, like 100.
That seems reasonable. Also, the comparison could be changed to allow byte swapped values since that is probably the most common type of corruption.
On the other hand, maybe the whole allow_ipid_match concept is misguided. Solaris and the other operating systems seem to get by fine without it.
Well, those operating systems combined are probably in the low single digits of operating system percentages for running Nmap. Solaris is the only one which is still popular at all. So we might not hear about problems, if there are any. That being said, I'm also not sure that we need this and I'm not at all averse to removing the test if we already have sufficient other tests in the six places in scan_engine.cc where it is used. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- allow_ipid_match causing replies to be ignored David Fifield (Jun 11)
- Re: allow_ipid_match causing replies to be ignored Fyodor (Jun 12)