Re: allow_ipid_match causing replies to be ignored

[Fyodor <fyodor () insecure org>]

On Thu, Jun 11, 2009 at 04:54:12PM -0600, David Fifield wrote:
> So, that's the problem, what's the solution? allow_ipid_match should
> default to accepting packets, otherwise it can be fooled when there's
> not much data. It should reject a packet only when the ratio of bogus to
> the total is low and a certain large number of packets have been
> received, like 100.

That seems reasonable.  Also, the comparison could be changed to allow
byte swapped values since that is probably the most common type of
corruption.

> On the other hand, maybe the whole allow_ipid_match concept is
> misguided. Solaris and the other operating systems seem to get by fine
> without it.

Well, those operating systems combined are probably in the low single
digits of operating system percentages for running Nmap.  Solaris is
the only one which is still popular at all.  So we might not hear
about problems, if there are any.

That being said, I'm also not sure that we need this and I'm not at
all averse to removing the test if we already have sufficient other
tests in the six places in scan_engine.cc where it is used.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org