On Fri, 18 Oct 2002, Ofir Arkin wrote:
> There are protocols which you CAN perfectly understand and distinguish
> between legit and not legit traffic.
No, because, as I stated, this is not an either-or distinction. Simply
put, the presence or abstence of a legitimate traffic, or a specific
nature (sequence, target, type) of legitimate traffic can establish a
covert channel. ICMP ping with no payload, normalized options, etc, can
considered be a legitimate traffic, assuming your policy allows pings. Yet
the fact the host is pinged three times, as opposed to two, may establish
a covert information flow (practical for some purposes, not practical for
others).
--
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2002-10-18 14:38 --
This archive was generated by hypermail 2b30 : Sat Oct 19 2002 - 09:29:51 PDT