On Fri, 18 Oct 2002, Ofir Arkin wrote: > There are protocols which you CAN perfectly understand and distinguish > between legit and not legit traffic. No, because, as I stated, this is not an either-or distinction. Simply put, the presence or abstence of a legitimate traffic, or a specific nature (sequence, target, type) of legitimate traffic can establish a covert channel. ICMP ping with no payload, normalized options, etc, can considered be a legitimate traffic, assuming your policy allows pings. Yet the fact the host is pinged three times, as opposed to two, may establish a covert information flow (practical for some purposes, not practical for others). -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2002-10-18 14:38 --
This archive was generated by hypermail 2b30 : Sat Oct 19 2002 - 09:29:51 PDT