ECN/CWR bits and scanning?

["Don Parker" <dparker () rigelksecurity com>]

Deleted the response I saw on this so I am creating a new thread on it to pass on some  
info. To reiterate I see no benefit by sending crafted packets with only the two  
aforementioned bits set. This will not glean any further info that you could not get by  
sending a SYN packet.   
  
The other side of the coin as well if you do use this combination is that you will  
definitely set off an IDS if there is one present. That being said this specific alarm  
also generates a great deal of false positives. This is due to some p2p s/w using some  
of these bits, queso, legitimate SYN/ECN packets, and just plain old crafted packets.  
Don't recall is this really answers your question or not :-) It is definitely unusual  
though to see a packet with only the ECN and CWR fields set.  
  
Cheers!  
  
Don  
 
------------------------------------------- 
Don Parker, GCIA 
Intrusion Detection Specialist 
Rigel Kent Security & Advisory Services Inc 
www.rigelksecurity.com 
ph :613.249.8340 
fax:613.249.8319 
-------------------------------------------- 

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_pen-test_040201
----------------------------------------------------------------------------