Full Disclosure mailing list archives
Detecting local anomalies (fwd)
From: Darren Reed <avalon () caligula anu edu au>
Date: Wed, 29 Mar 2006 10:11:57 +1100 (Australia/ACT)
[originally sent by me to nmap-hackers] Can nmap tell when the response time of a packet from a host differs by a large amount with respect to the majority of packets and from that make any suggestions or conclusions? For example, if nmap were to get a response of some kind from a linux box that sent the packet up through libipq, wouldn't there by a rather large time difference for it? Another example might be if one packet matches a different local policy, say IPsec, and it gets tunnelled/encrypted/ something before the response being sent back. The reason this came to mind is that last week I hacked up some code to do port-knocking with IPFilter in a manner that to the casual observer will always look like every port is closed unless the right combination is hit and then only the last one is open. I was thinking this is pretty undetectable from a scanning point of view. Then for some reason I thought about the impact of the knocking ports sending packets up to user space before generating a negative reply and that this would be detectable at a packet level in the difference between the time it takes for normal replies to be returned vs these ones. I've since removed the need for the trip to user space just to generate the negative reply but it did get me thinking and I thought I'd share those thoughts :) Darren _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Detecting local anomalies (fwd) Darren Reed (Mar 28)