Penetration Testing mailing list archives
ECN/CWR bits and scanning?
From: "Don Parker" <dparker () rigelksecurity com>
Date: Mon, 1 Mar 2004 13:39:42 -0500 (EST)
Deleted the response I saw on this so I am creating a new thread on it to pass on some info. To reiterate I see no benefit by sending crafted packets with only the two aforementioned bits set. This will not glean any further info that you could not get by sending a SYN packet. The other side of the coin as well if you do use this combination is that you will definitely set off an IDS if there is one present. That being said this specific alarm also generates a great deal of false positives. This is due to some p2p s/w using some of these bits, queso, legitimate SYN/ECN packets, and just plain old crafted packets. Don't recall is this really answers your question or not :-) It is definitely unusual though to see a packet with only the ECN and CWR fields set. Cheers! Don ------------------------------------------- Don Parker, GCIA Intrusion Detection Specialist Rigel Kent Security & Advisory Services Inc www.rigelksecurity.com ph :613.249.8340 fax:613.249.8319 -------------------------------------------- --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_pen-test_040201 ----------------------------------------------------------------------------
Current thread:
- ECN/CWR bits and scanning? Don Parker (Mar 01)