Detecting local anomalies (fwd)

[Darren Reed <avalon () caligula anu edu au>]

[originally sent by me to nmap-hackers]

Can nmap tell when the response time of a packet from a host
differs by a large amount with respect to the majority of packets
and from that make any suggestions or conclusions?

For example, if nmap were to get a response of some kind from
a linux box that sent the packet up through libipq, wouldn't
there by a rather large time difference for it?

Another example might be if one packet matches a different
local policy, say IPsec, and it gets tunnelled/encrypted/
something before the response being sent back.

The reason this came to mind is that last week I hacked up some
code to do port-knocking with IPFilter in a manner that to the
casual observer will always look like every port is closed
unless the right combination is hit and then only the last
one is open.  I was thinking this is pretty undetectable from
a scanning point of view.  Then for some reason I thought
about the impact of the knocking ports sending packets up
to user space before generating a negative reply and that
this would be detectable at a packet level in the difference
between the time it takes for normal replies to be returned
vs these ones.  I've since removed the need for the trip to
user space just to generate the negative reply but it did
get me thinking and I thought I'd share those thoughts :)

Darren

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/