Re: IDS: Tracing Nmap -D Scans

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Jerry Dixon: "Re: IDS: Network Intrusion Detection"
• Previous message: Robert Zachary: "IDS: scan detect"
• In reply to: HD Moore: "IDS: Tracing Nmap -D Scans"

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------

On Mon, 22 Mar 1999, HD Moore wrote:

> Context clues like TTL fields,

which are forgeable

> previous traffic from one of the source addresses (grepping log files
> for http or icmp traffic),

which a good attacker wouldn't do, or would spoof similarly

> and the more aggressive techniques like determining which if any of
> the source addresses are capable of launching nmap.

how do you propose to do this? if they were 100 decoy addresses belonging
to a several large ISPs' dial-up pools, for example?

> A source address belonging to a Windows NT server could be eliminated
> quickly, as well as any source addresses matching high-profile web
> sites (whitehouse.gov fbi.gov nosc.mil nasa.gov etc..).

sure, but again, a good attacker wouldn't do this.

bottom line: it's not hard to forge packets. it takes a few more brain
cells to forge them convincingly. but i'm still not convinced that any
heuristic we can come up with will correctly identify the real source of
an nmap -D scan even half of the time.

-d.

---
http://www.monkey.org/~dugsong/

• Next message: Jerry Dixon: "Re: IDS: Network Intrusion Detection"
• Previous message: Robert Zachary: "IDS: scan detect"
• In reply to: HD Moore: "IDS: Tracing Nmap -D Scans"