On Thu, 10 Jul 2003, David Klotz wrote: > I can't find a reference to this now, but at Vern Paxon's talk at the > 1999 USENIX Workshop on Intrusion Detection he claimed that malicious > packets and broken packets are essentially indistinguishable. Obviously > this wouldn't apply to certain obviously intrusions attempts (like a GET > cmd.exe in your logs, or something similar) but if true I would have to > imagine it would cast serious doubt on just about any hard number you > could find. This is kinda funny. I actually saw an example of his point about 15 minutes ago. Check out <http://support.microsoft.com/default.aspx?scid=kb;EN-US;q138268>. RFC 1122 mandates that network stacks not send datagrams with a TTL of zero, but early MS stacks can sometimes more-or-less innocently send traffic with a TTL of zero -- "broken packets". There's also an old teardrop variant, nestea, which carries out a DoS against older Linux kernels -- "malicious packets". The datagrams it generates have a TTL of zero. The snort box I was just on logged both the broken MS packets and the (usually) malicious nestea packets identically, as "BAD TRAFFIC 0 TTL".... later, chris ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jul 10 2003 - 15:06:46 PDT