From: Fyodor [mailto:fyodor () insecure org]
Sent: Friday, October 26, 2007 3:50 AM
To: Brandon Enright
Cc: kx; nmap-dev () insecure org; Dario Ciccarone (dciccaro); Swapnali
Subject: Re: Nmap says Host down when actually host is up.
On Fri, Oct 26, 2007 at 07:10:33AM +0000, Brandon Enright wrote:
I haven't given it more than 2 seconds of thought, but we could try
something TCP SYNCOOKIE inspired for our ICMP ECHO requests.
Hi Brandon. The response already has enough information (e.g. ICMP
sequence and ID numbers) for us to recognize it. But I think in most
cases where we get a response from a different IP than the target we
sent to, it is because the target host forwarded the request
(e.g. subnet-directed broadcast) to other machines, and one or more of
them answered. In that case, for us to mark the target as up would be
a false postive. For us to change that behavior and mark the host as
up, I would want some evidence that actual online hosts responding
with the wrong IP is a normal occurence.