mailing list archives
Re: allow_ipid_match causing replies to be ignored
From: Fyodor <fyodor () insecure org>
Date: Fri, 12 Jun 2009 00:04:55 -0700
On Thu, Jun 11, 2009 at 04:54:12PM -0600, David Fifield wrote:
So, that's the problem, what's the solution? allow_ipid_match should
default to accepting packets, otherwise it can be fooled when there's
not much data. It should reject a packet only when the ratio of bogus to
the total is low and a certain large number of packets have been
received, like 100.
That seems reasonable. Also, the comparison could be changed to allow
byte swapped values since that is probably the most common type of
On the other hand, maybe the whole allow_ipid_match concept is
misguided. Solaris and the other operating systems seem to get by fine
Well, those operating systems combined are probably in the low single
digits of operating system percentages for running Nmap. Solaris is
the only one which is still popular at all. So we might not hear
about problems, if there are any.
That being said, I'm also not sure that we need this and I'm not at
all averse to removing the test if we already have sufficient other
tests in the six places in scan_engine.cc where it is used.
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org