Re: Concepts: Security and Obscurity

[Daniel Miessler <daniel () dmiessler com>]

On Apr 17, 2007, at 12:28 PM, Ansgar -59cobalt- Wiechers wrote:

> > So if I'm scanning a class B for port 22 in order to unleash a
> > zero-day exploit, how do you propose I differentiate between the dead
> > network space (i.e. there's nothing there) vs. the systems that just
> > SEEM to not be there because I get no response?
>
> You differentiate by the fact that for the former you *do* get a
> response (destination-unreachable), whereas for the latter you don't.
>
> Please read up on how TCP/IP actually works.

Yes, we're aware of the basics here, and now I ask that you scan a  
class B and see if for every system that's NOT there you get back an  
ICMP message like you're supposed to. I think you'll find that  
reality doesn't correlate well with the RFC on this matter.

Getting back proper ICMP responses from "somewhere upstream" is hit  
and miss, and therefore unreliable as a true indicator of a "hiding  
system".

--
Daniel Miessler
E: daniel () dmiessler com
W: http://dmiessler.com
G: 0xDA6D50EAC

Attachment: PGP.sig
Description: This is a digitally signed message part