Vulnerability Development mailing list archives
Re: ICMP clarification
From: Matt Beck <Mbeck () GIANTSTEP COM>
Date: Fri, 15 Sep 2000 16:32:20 -0500
---cut--- If people want to grasp the problems regarding ICMP Usage in Scanning, than you can read my research paper about it. It is available from my web site: www.sys-security.com, version 2.01 is the latest. You can also read Rik Farrow's article at Network Magazine, called "ICMP Stands for Trouble": http://www.networkmagazine.com/article/NMG20000829S0003 ----cut---- I was reading through your paper and enjoying it when something occurred to me. Other posts here have been discussing ANTI-Sniff and ways to detect promiscuous mode NICs. One method is to watch for DNS queries. Your paper mentions that reverse resolution of pinged addresses can be correlated to an attacking host via DNS logs. So, has anyone created a tool that can query many different DNS servers instead of the local one? I imagine a simple file containing multiple remote DNS server addresses that are used in round-robin for reverse resolution. This would definitely prevent DNS logs from correlating with the scan of a remote network. For the Anti-sniff topic, an IDS would have to watch all DNS traffic instead of just traffic to the local DNS for this activity. But, it's late on Friday and maybe this isn't making sense. Do tools already do this kind of thing for stealth? Matt
Current thread:
- ICMP clarification Ofir Arkin (Sep 14)
- <Possible follow-ups>
- Re: ICMP clarification Matt Beck (Sep 16)