Nmap Development mailing list archives
Re: Nmap says Host down when actually host is up.
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Fri, 26 Oct 2007 07:10:33 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 26 Oct 2007 08:46:55 +0200 plus or minus some time kx <kxmail () gmail com> wrote:
I can't say for ICMP, but I have definitely written a generic UDP server on a Solaris box before that had multiple IP addresses, that was listening on all IPs, and when the server would reply to a UDP packet, the kernel behavior would be to reply from the IP addresses on the Solaris box that was closest to the source, not necessarily from the IP address it received the packet on. Now, in this case it made sense, I would send a packet from a subnet connected to the Solaris box, but I would send it to the IP address not on the subnet. The response would come back from the IP address on my subnet. Example Solaris has IP 10.10.1.5 and 10.10.100.5 I am IP 10.10.1.6 10.10.1.6 -- UDP --> 10.10.100.5 10.10.1.6 <-- UDP -- 10.10.1.5 Not as clear as is what is going on below, and as Kris stated, it shouldn't happen with ICMP, but just throwing it out for consideration. Cheers, kx
+1 on strange things with ICMP. The UDP socket code I've been writing lately has seen some of strangest ICMP messages back. Between all the different OS, firewalls, NATs, and other strange network devices out there, you're going to see some crazy ICMP packets. I haven't given it more than 2 seconds of thought, but we could try something TCP SYNCOOKIE inspired for our ICMP ECHO requests. Say we stuffed some useful data in the payload like: <64 bit timestamp><32 bit salt><32 bit target IP XOR 32 bit salt><32 bit checksum (CRC?)> Then when we receive an ICMP ECHO REPLY from a host we don't know about, we check the payload. If: * The time is within some reasonable range * The salt matches the salt being used by the nmap process * The XOR of the salt and jumbled IP field match an IP we're probing * The checksum computes Then we accept the echo reply as valid even though something is slightly broken. Or maybe I'm missing something this is a terrible idea? Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHIZLpqaGPzAsl94IRArIWAKCARuVnI7W4uPLs2J278yA1crZtAACfQFcR j2dtWK5/D1I9zGvFa/AEhqE= =2TzD -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Nmap says Host down when actually host is up. Swapnali (Oct 22)
- Re: Nmap says Host down when actually host is up. DePriest, Jason R. (Oct 22)
- <Possible follow-ups>
- Re: Nmap says Host down when actually host is up. Swapnali (Oct 25)
- Re: Nmap says Host down when actually host is up. Fyodor (Oct 25)
- Re: Nmap says Host down when actually host is up. Kris Katterjohn (Oct 25)
- RE: Nmap says Host down when actually host is up. Dario Ciccarone (dciccaro) (Oct 25)
- Re: Nmap says Host down when actually host is up. kx (Oct 25)
- Re: Nmap says Host down when actually host is up. Brandon Enright (Oct 26)
- Re: Nmap says Host down when actually host is up. Fyodor (Oct 26)
- Re: Nmap says Host down when actually host is up. Swapnali (Oct 26)
- RE: Nmap says Host down when actually host is up. Dario Ciccarone (dciccaro) (Oct 26)
- RE: Nmap says Host down when actually host is up. Dario Ciccarone (dciccaro) (Oct 26)
- Re: Nmap says Host down when actually host is up. Fyodor (Oct 25)
- Re: Nmap says Host down when actually host is up. Kris Katterjohn (Oct 26)