If port X is open at B
B will respond with a SYN/ACK to B
---------------------------------------^
C will send a RST to C (incrementing ip_id by one)
-----Original Message-----
From: Stefan Savage [mailto:savage@cs.washington.edu]
Sent: Thursday, June 10, 1999 11:33 AM
To: syn
Cc: Stefan Savage
Subject: why the ip_id hack will go away...
I was just reading about a brand new port scanning technique that uses the
montonicity of ip_id in a useful way. Here's the trick:
A = scanning machine
B = target machine
C = some third machine not controlled by you
Pick C so that its not sending any traffic of its own (e.g. do this late at
night to a client box somewhere)
A sends a SYN to B at port X with C's source address
If port X is open at B
B will respond with a SYN/ACK to C
C will send a RST to C (incrementing ip_id by one)
If port X is close at B
B will response with a RST to C
C won't do anything (ip_id stays the same)
As it scans each port, A can poll C's change in ip_id (e.g. using ping) to
determine if a particular port was scanned.
Very sneaky.
- Stefan