Security Incidents mailing list archives
Re: mystery SF scan tool = Idlescan correlation
From: LiquidK <liquidk () LEECHER ORG>
Date: Fri, 17 Nov 2000 03:00:56 +0000
Hi,
I have not found the exact tool using IP ID 39426 in the wild, so I am surmising the distribution is either extremely limited or we're even dealing with a single instance (that you, liquidK?). Of course, I could just be looking in the wrong places. :-) I felt that the simplicity of the diffs between Idlescan and this tool that recreates the mystery detects warranted the posting of this correlation. It seems likely someone has taken Idlescan and made the improvements on liquidK's todo list in the source code. (If this turns out to be wrong, please don't flame me. If it's correct and you wrote the code, stand up and be recognized for eluding that many IDS guys for so long!)
Not me :) Although if someone implemented the stuff in the TODO I would be very interested in seeing those diff's :) Last version was alpha3, and that update was almost an year ago. There is one thing that reveals idlescan's portscans pretty quickly (at least in my implementation). There are usually several probes on each port to ensure the scan is accurate. For example, you will see something like the following pattern. sensor1 -> victim:21 sensor1 -> victim:21 sensor1 -> victim:21 sensor2 -> victim:22 sensor2 -> victim:22 sensor2 -> victim:22 Or perhaps with a modified idlescan, something like: sensor1 -> victim:21 sensor2 -> victim:22 sensor3 -> victim:22 sensor6 -> victim:21 sensor5 -> victim:22 sensor8 -> victim:21 With only one probe at a port, and unless you are 100% sure the sensor is idle, you cannot confirm that the ip.id increase was caused by sensor traffic or by the rst reply of the sensor to an open port. If you need any help finishing your research project, don't hesitate to contact me about idlescan.
For more information on Idlescan , see liquidK's code from 1999 at http://superbofh.org/idlescan. It builds on theoretical analysis by antirez in 1998 posted to Bugtraq. (Nice work there guys.)
Unfortunately superbofh.org is no more. You can still get idlescan and the readme from www.hackers-pt.org, packetstorm or technotronic. -- Filipe Almeida aka LiquidK <liquidk () leecher org>
Current thread:
- mystery SF scan tool = Idlescan correlation Bidwell, Teri K (Nov 14)
- Re: mystery SF scan tool = Idlescan correlation Stephen P. Berry (Nov 17)
- Re: mystery SF scan tool = Idlescan correlation George Bakos (Nov 24)
- Re: mystery SF scan tool = Idlescan correlation LiquidK (Nov 18)
- <Possible follow-ups>
- Re: mystery SF scan tool = Idlescan correlation Joe Stewart (Nov 21)
- Re: mystery SF scan tool = Idlescan correlation Stephen P. Berry (Nov 17)