Full Disclosure mailing list archives

Re: Idle scan rediscovered!!!

From: Cedric Blancher <blancher () cartel-securite fr>
Date: Fri, 05 May 2006 18:49:20 +0200

Le vendredi 05 mai 2006 à 12:33 -0400, Tim a écrit :

Sorry, I'm having difficulty following some of the details of your
results.  Are you using the Windows machines as the idle hosts only, or
is the Ubuntu box also being used as an idle host in some
configurations?


As standard 2.4/2.6 kernels behaviour is to set DF flag to 1, and IPID
to 0, it's a very bad candidate for an idle host. And sadly, it's no
news that Windows boxes are prone to idle scanning because they have an
incremental IPID generator...


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Hi! I'm your friendly neighbourhood signature virus.
Copy me to your signature file and help me spread!


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Idle scan rediscovered!!! Joel Jose (May 05)
- Re: Idle scan rediscovered!!! Tim (May 05)
  - Re: Idle scan rediscovered!!! Cedric Blancher (May 05)
    - Re: Idle scan rediscovered!!! Cedric Blancher (May 05)
    - Re: Idle scan rediscovered!!! Tim (May 05)
    - Re: Idle scan rediscovered!!! Cedric Blancher (May 05)
    - Re: Idle scan rediscovered!!! rembrandt (May 05)
    - Re: Idle scan rediscovered!!! Tim (May 05)
    - Re: Idle scan rediscovered!!! Tim (May 05)