1: Posted to bugtraq mailing list (20 Nov 1999):
2:
3: ---
4: Hi,
5:
6: some little new ideas about IP ID issue:
7:
8: The first is about linux firewalling: since it increase IP ID global counter
9: even if an outgoing packet will be filtered we are able, for example, to
10: scan UDP ports even if ICMP type 3 output is DENY, and in general it is possibleto know when TCP/IP stack reply a packet even if the reply is dropped.
11: I think (but not tested) that this is true for almost all firewalls.
12:
13: The second issue concern the ability to uncover firewall rules. For example
14: it is travial to know if host A filter packets from the IP X.Y.Z.W monitoring
15: IP ID incresing of host A or host with X.Y.Z.W address (this changes if we are
16: interested to know input or output rules) and sending packets that suppose
17: some reply. Also this is related with the ability to scan the ports of hosts
18: that drop all packets with a source different than host.trusted.com.
19: There are others stuff like this but they are only different faces of the
20: same concepts.
21:
22: Some people thinks that this kind of attacks isn't a "real world" attacks,
23: I'm strongly interested to know what's bugtraq readers opinion (IMO this
24: kind of attacks are feasible and usefull for an attacker. For exaple the
25: ability to scan the ports with only spoofed packets and the ability to
26: guess remote hosts traffic are a lot real).
27:
28: ciao,
29: antirez
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to MORE-FUN-WITH-IPID CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / hping2 / docs