[13551] in bugtraq
Re: usual iploggers miss some variable stealth scans
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Mon Jan 24 23:36:04 2000
Message-Id: <200001240619.XAA22369@cvs.openbsd.org>
Date: Sun, 23 Jan 2000 23:19:49 -0700
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: antirez@invece.org
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Sat, 22 Jan 2000 15:02:48 +0100."
<20000122150248.A226@nagash.suidshell.net>
As an aside to this discussion...
> Also it's possible to use the ID field of the IP protocol to check if
> some host are Win*, OpenBSD > 2.5 or Other using a few of often not logged
> packets. the Win* ID has different byte ordering, OpenBSD is truly-random
> and others incremental.
OpenBSD does not use a truly random sequence for this. The generator
used produces a non-repeating pseudo-random sequence. It will not
repeat the same number too close to when it was previously used.
We have reused the generator that we use for generating DNS packet
IDs.
Obviously, using a completely random sequence has problems. For
instance, the following sequence _could_ be generated by a
truly-random number generator:
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 1 1 1 98 7234
If the generator were to create such a sequence, and they were used as
IP ID values on a succession of packets, it could wreak havoc on
fragment reassembly at the destination.
