Yeah, for what is worth, I kind of agree with this approach.
And even if someone came up with the full details (topology, packet
captures, device versions, etc) - would it make at all sense to add a
bunch of code to detect a corner case? Yes - if Fyodor is shooting for
perfection this week. Not, if it is some weird combination of OS/load
balancer/firewall/NAT/router/etc it is probably going to be seen in the
wilde once in a blue moon :)
Dario
> -----Original Message-----
> From: Fyodor [mailto:fyodor_at_insecure.org]
> Sent: Friday, October 26, 2007 3:50 AM
> To: Brandon Enright
> Cc: kx; nmap-dev_at_insecure.org; Dario Ciccarone (dciccaro); Swapnali
> Subject: Re: Nmap says Host down when actually host is up.
>
> On Fri, Oct 26, 2007 at 07:10:33AM +0000, Brandon Enright wrote:
> >
> > I haven't given it more than 2 seconds of thought, but we could try
> > something TCP SYNCOOKIE inspired for our ICMP ECHO requests.
>
> Hi Brandon. The response already has enough information (e.g. ICMP
> sequence and ID numbers) for us to recognize it. But I think in most
> cases where we get a response from a different IP than the target we
> sent to, it is because the target host forwarded the request
> (e.g. subnet-directed broadcast) to other machines, and one or more of
> them answered. In that case, for us to mark the target as up would be
> a false postive. For us to change that behavior and mark the host as
> up, I would want some evidence that actual online hosts responding
> with the wrong IP is a normal occurence.
>
> Cheers,
> -F
>
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Oct 26 2007
Intro
