Re: Corrections for "Using the Unused" and for "The DF Playground"

[Kevin Steves <stevesk () sweden hp com>]

On Wed, 13 Sep 2000, Ofir Arkin wrote:
: What this means is Solaris is the ONLY operating system to set 
: the DF bit on ICMP Query replies enabling us to identify it exclusively.

HP-UX sets it as well when ip_pmtu_strategy=1.  I suspect your test
host has the default 2, which is deprecated for reasons stated in a
security bulletin, and you didn't respond to its ping probe.

$ ndd -h ip_pmtu_strategy

: And Solaris and HPUX 11.0 are the ONLY operating systems to Echo 
: back the Reserved Bit.

Not surprising that they do something the same, since they share a
Mentat-derived heritage.  I believe the ip_pmtu_strategy=2 is an
HP-thing.  You might play around with observing data in RST segments.

: Since Solaris sets the DF bit as well we can distinguish between 
: Sun Solaris Machines and HPUX 11.0 machines.

Not always, my systems have ip_pmtu_strategy=1.

: For all of you who wrote back to say that we can turn off replies
: for various ICMP Queries with Solaris - PLEASE DO SO! This is the reason
: for all this :)

ndd -h lists the tunables and help text on HP-UX 11.0.  I have a list of
what I recommend at the end of
http://people.hp.se/stevesk/bastion11.html.


--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).