Security Incidents mailing list archives
Re: An ICMP Type 3 Signature
From: George Bakos <alpinista () BIGFOOT COM>
Date: Wed, 18 Oct 2000 12:14:05 -0400
On 17 Oct 00, at 15:14, Jay Random wrote:
What made you dismiss the possibility of a decoy scan? Also if he had a compromised sniffing box upstream from the target, why activly portscan and give away your activity, when a passive portscan would be more simple and logical. How would a sniffer add any benifit to the distributed scan?
Assuming this is not a decoyed scan, a listening presence upstream would be necessary to interpret responses to purely spoofed stimuli. Yes, of course passive techniques would be a more stealthy, although somewhat luck-dependant, option for him. A decoy scan is not completely ruled out. However, a decoy scan should ideally use reachable, yet unresponsive host addresses so as not to risk icmp 3 messages being sent back to the scan target, providing data for a process of elimination. In order for the embedded packets' ttls to vary as I have seen, network conditions would need to fluctuate considerably (not too unlikely), he would need to be a moving target, or his tool would be crafting variable initial ttl values. As they are all within a realistic range below 32 (win9x??), this last possiblility is slim. Until I have my grubby paws on an offender's machine, I can merely speculate. Cheers! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Any sufficiently advanced technology is indistinguishable from magic. Arthur C. Clarke ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ George Bakos alpinista () bigfoot com
Current thread:
- An ICMP Type 3 Signature Stephen P. Berry (Oct 04)
- Re: An ICMP Type 3 Signature Russell Fulton (Oct 10)
- Re: An ICMP Type 3 Signature Steffen Dettmer (Oct 11)
- <Possible follow-ups>
- Re: An ICMP Type 3 Signature Donald McLachlan (Oct 05)
- Re: An ICMP Type 3 Signature Stephen P. Berry (Oct 10)
- Re: An ICMP Type 3 Signature Donald McLachlan (Oct 10)
- Re: An ICMP Type 3 Signature Stephen P. Berry (Oct 11)
- Re: An ICMP Type 3 Signature Jay Random (Oct 11)
- Re: An ICMP Type 3 Signature George Bakos (Oct 13)
- Re: An ICMP Type 3 Signature Jay Random (Oct 17)
- Re: An ICMP Type 3 Signature George Bakos (Oct 19)