30 lines
1.3 KiB
Plaintext
30 lines
1.3 KiB
Plaintext
Posted to bugtraq mailing list (20 Nov 1999):
|
|
|
|
---
|
|
Hi,
|
|
|
|
some little new ideas about IP ID issue:
|
|
|
|
The first is about linux firewalling: since it increase IP ID global counter
|
|
even if an outgoing packet will be filtered we are able, for example, to
|
|
scan UDP ports even if ICMP type 3 output is DENY, and in general it is possibleto know when TCP/IP stack reply a packet even if the reply is dropped.
|
|
I think (but not tested) that this is true for almost all firewalls.
|
|
|
|
The second issue concern the ability to uncover firewall rules. For example
|
|
it is travial to know if host A filter packets from the IP X.Y.Z.W monitoring
|
|
IP ID incresing of host A or host with X.Y.Z.W address (this changes if we are
|
|
interested to know input or output rules) and sending packets that suppose
|
|
some reply. Also this is related with the ability to scan the ports of hosts
|
|
that drop all packets with a source different than host.trusted.com.
|
|
There are others stuff like this but they are only different faces of the
|
|
same concepts.
|
|
|
|
Some people thinks that this kind of attacks isn't a "real world" attacks,
|
|
I'm strongly interested to know what's bugtraq readers opinion (IMO this
|
|
kind of attacks are feasible and usefull for an attacker. For exaple the
|
|
ability to scan the ports with only spoofed packets and the ability to
|
|
guess remote hosts traffic are a lot real).
|
|
|
|
ciao,
|
|
antirez
|