Security Incidents mailing list archives

RE: Spoofed scans

From: Jose Nazario <jose () biocserver BIOC cwru edu>
Date: Wed, 9 Jan 2002 11:58:38 -0500 (EST)

i believe the normalizations discussed by ven paxson at USENIX Security 01
can help alleviate the threat of the IP ID scan discussed. another
excellent discussion of this technique is given in [2].

the openbsd firewall package 'pf' has a scrub action that implements many
of these normalizations.

1. vern's WAY cool paper.
   http://www.icir.org/vern/papers/norm-usenix-sec-01-html/

2. node in the above paper on IP ID scans:
   http://www.icir.org/vern/papers/norm-usenix-sec-01-html/node8.html

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Spoofed scans, (continued)
- - - Re: Spoofed scans James (Jan 07)
    - Re: Spoofed scans Will Aoki (Jan 07)
  - RE: Spoofed scans Bojan Zdrnja (Jan 07)
- Re: Spoofed scans Gideon Lenkey (Jan 07)
- Re: Spoofed scans Crist J. Clark (Jan 07)
  - Re: Spoofed scans Richard Arends (Jan 07)
- RE: Spoofed scans Paul M. Tiedemann (Jan 08)
  - Re: Spoofed scans Dave Ryan (Jan 08)
  - RE: Spoofed scans Gideon Lenkey (Jan 08)
- RE: Spoofed scans Joshua Wright (Jan 09)
  - RE: Spoofed scans Jose Nazario (Jan 09)