On 17 Oct 00, at 15:14, Jay Random wrote:
> What made you dismiss the possibility of a decoy
> scan? Also if he had a compromised sniffing box
> upstream from the target, why activly portscan and
> give away your activity, when a passive portscan
> would be more simple and logical. How would a
> sniffer add any benifit to the distributed scan?
Assuming this is not a decoyed scan, a listening presence
upstream would be necessary to interpret responses to purely
spoofed stimuli. Yes, of course passive techniques would be a
more stealthy, although somewhat luck-dependant, option for him.
A decoy scan is not completely ruled out. However, a decoy scan
should ideally use reachable, yet unresponsive host addresses so
as not to risk icmp 3 messages being sent back to the scan
target, providing data for a process of elimination.
In order for the embedded packets' ttls to vary as I have seen,
network conditions would need to fluctuate considerably (not too
unlikely), he would need to be a moving target, or his tool would be
crafting variable initial ttl values. As they are all within a realistic
range below 32 (win9x??), this last possiblility is slim.
Until I have my grubby paws on an offender's machine, I can merely
speculate.
Cheers!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Any sufficiently advanced technology
is indistinguishable from magic.
Arthur C. Clarke
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
George Bakos
alpinista_at_bigfoot.com
Received on Oct 19 2000
Intro
