why the ip_id hack will go away...

Stefan Savage (savage@cs.washington.edu)
Thu, 10 Jun 1999 11:33:21 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Stefan Savage: "RE: why the ip_id hack will go away..."
Previous message: Tom Anderson: "meeting today?"
Next in thread: Stefan Savage: "RE: why the ip_id hack will go away..."

I was just reading about a brand new port scanning technique that uses the
montonicity of ip_id in a useful way. Here's the trick:

A = scanning machine
B = target machine
C = some third machine not controlled by you

Pick C so that its not sending any traffic of its own (e.g. do this late at
night to a client box somewhere)

A sends a SYN to B at port X with C's source address
If port X is open at B
B will respond with a SYN/ACK to C
C will send a RST to C (incrementing ip_id by one)
If port X is close at B
B will response with a RST to C
C won't do anything (ip_id stays the same)

As it scans each port, A can poll C's change in ip_id (e.g. using ping) to
determine if a particular port was scanned.

Very sneaky.

- Stefan

Next message: Stefan Savage: "RE: why the ip_id hack will go away..."
Previous message: Tom Anderson: "meeting today?"
Next in thread: Stefan Savage: "RE: why the ip_id hack will go away..."