Annotation of embedaddon/hping2/docs/MORE-FUN-WITH-IPID, revision 1.1
1.1 ! misho 1: Posted to bugtraq mailing list (20 Nov 1999):
! 2:
! 3: ---
! 4: Hi,
! 5:
! 6: some little new ideas about IP ID issue:
! 7:
! 8: The first is about linux firewalling: since it increase IP ID global counter
! 9: even if an outgoing packet will be filtered we are able, for example, to
! 10: scan UDP ports even if ICMP type 3 output is DENY, and in general it is possibleto know when TCP/IP stack reply a packet even if the reply is dropped.
! 11: I think (but not tested) that this is true for almost all firewalls.
! 12:
! 13: The second issue concern the ability to uncover firewall rules. For example
! 14: it is travial to know if host A filter packets from the IP X.Y.Z.W monitoring
! 15: IP ID incresing of host A or host with X.Y.Z.W address (this changes if we are
! 16: interested to know input or output rules) and sending packets that suppose
! 17: some reply. Also this is related with the ability to scan the ports of hosts
! 18: that drop all packets with a source different than host.trusted.com.
! 19: There are others stuff like this but they are only different faces of the
! 20: same concepts.
! 21:
! 22: Some people thinks that this kind of attacks isn't a "real world" attacks,
! 23: I'm strongly interested to know what's bugtraq readers opinion (IMO this
! 24: kind of attacks are feasible and usefull for an attacker. For exaple the
! 25: ability to scan the ports with only spoofed packets and the ability to
! 26: guess remote hosts traffic are a lot real).
! 27:
! 28: ciao,
! 29: antirez
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to MORE-FUN-WITH-IPID CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / hping2 / docs