[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Idle scan rediscovered!!!

To: Tim <tim-security@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Idle scan rediscovered!!!
From: Cedric Blancher <blancher@xxxxxxxxxxxxxxxxxx>
Date: Fri, 05 May 2006 18:49:20 +0200

Le vendredi 05 mai 2006 à 12:33 -0400, Tim a écrit :
> Sorry, I'm having difficulty following some of the details of your
> results.  Are you using the Windows machines as the idle hosts only, or
> is the Ubuntu box also being used as an idle host in some
> configurations?

As standard 2.4/2.6 kernels behaviour is to set DF flag to 1, and IPID
to 0, it's a very bad candidate for an idle host. And sadly, it's no
news that Windows boxes are prone to idle scanning because they have an
incremental IPID generator...


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Idle scan rediscovered!!!
  - From: Cedric Blancher

References:
- [Full-disclosure] Idle scan rediscovered!!!
  - From: Joel Jose
- Re: [Full-disclosure] Idle scan rediscovered!!!
  - From: Tim

Prev by Date: Re: [Full-disclosure] Idle scan rediscovered!!!
Next by Date: Re: [Full-disclosure] IE7 Zero Day
Previous by thread: Re: [Full-disclosure] Idle scan rediscovered!!!
Next by thread: Re: [Full-disclosure] Idle scan rediscovered!!!
Index(es):
- Date
- Thread