Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [PATCH] TCP Idle Scan in IPv6
From: "Mathias Morbitzer" <m.morbitzer () runbox com>
Date: Mon, 23 Sep 2013 10:06:27 +0200 (CEST)

On Fri, 20 Sep 2013 13:29:53 -0700, David Fifield <david () bamsoftware com> wrote:

Also, my masterthesis in which I explain the TCP Idle Scan in IPv6, is
now finished and online:
http://www.ru.nl/publish/pages/578936/m_morbitzer_masterthesis.pdf


For people who do not want to read the whole thesis, I also wrote an article which only deals with the TCP Idle Scan in 
IPv6, and not with its two alternatives, the RST Rate Limit Scan and the SYN Cache Scan. 
It is available here: 
https://www.researchgate.net/publication/256846709_TCP_Idle_Scans_in_IPv6/file/9c960523ff1da8b77a.pdf

I found it interesting in section 4.1, that Windows 8 uses a global
identifier counter, but gives it a different offset for each host. 

This is indeed my favorite discovery of the whole research. No clue why anyone would do this. Maybe to make the 
identifiers look random? 
But if so, why not use a random value right away? If anybody knows or thinks to know the reason for this, please share 
your ideas with me. ! 

I also didn't know that OpenBSD counts both incoming and outgoing segments
for the purpose of RST rate limiting (section 5.1).
 
Also very interesting for me. The man page of OpenBSD says that only incoming segments are counted, but my tests say 
its also outgoing segments. 

I'm working now on merging your patch.

Great! Feels good to know that my code will end up in Nmap! 


Mathias Morbitzer
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault