[24759] in bugtraq
Re: Identifying Kernel 2.4.x based Linux machines using UDP
daemon@ATHENA.MIT.EDU (Crist J. Clark)
Wed Mar 20 18:28:52 2002
Date: Tue, 19 Mar 2002 17:51:17 -0800
From: "Crist J. Clark" <crist.clark@attbi.com>
To: Ofir Arkin <ofir@stake.com>
Cc: bugtraq <bugtraq@securityfocus.com>
Message-ID: <20020319175117.E67739@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3C971D24.4070505@stake.com>; from ofir@stake.com on Tue, Mar 19, 2002 at 11:12:36AM +0000
Yuck. Following up to my own post.
I realize I wasn't clear on what "good" random numbers mean in IP ID
fields. To most people concerned about security, it means "not
incrementing." The problem with incrementing IP IDs of course being
the ability to do spoofed port scans on a quiescent server. Not using
incrementing IP IDs, using random ones when you need to and constant
(the 0 ones you observed) ones when DF is set, prevents these kinds of
scans.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
