Re: ICMP clarification

[Matt Beck <Mbeck () GIANTSTEP COM>]

---cut---
If people want to grasp the problems regarding ICMP Usage in Scanning, than
 you can read my research paper about it. It is available from my web site:
 www.sys-security.com, version 2.01 is the latest.

You can also read Rik Farrow's article at Network Magazine, called
"ICMP Stands for Trouble":
http://www.networkmagazine.com/article/NMG20000829S0003
----cut----

I was reading through your paper and enjoying it when something occurred to
me.

Other posts here have been discussing ANTI-Sniff and ways to detect
promiscuous mode NICs.  One method is to watch for DNS queries.
Your paper mentions that reverse resolution of pinged addresses can be
correlated to an attacking host via DNS logs.

So, has anyone created a tool that can query many different DNS servers
instead of the local one?  I imagine a simple file containing multiple
remote DNS server addresses that are used in round-robin for reverse
resolution.  This would definitely prevent DNS logs from correlating with
the scan of a remote network.

For the Anti-sniff topic, an IDS would have to watch all DNS traffic instead
of just traffic to the local DNS for this activity.

But, it's late on Friday and maybe this isn't making sense.  Do tools
already do this kind of thing for stealth?

Matt