| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Mar 29 00:32:07 2006 From: avalon at caligula.anu.edu.au (Darren Reed) Subject: Detecting local anomalies (fwd) [originally sent by me to nmap-hackers] Can nmap tell when the response time of a packet from a host differs by a large amount with respect to the majority of packets and from that make any suggestions or conclusions? For example, if nmap were to get a response of some kind from a linux box that sent the packet up through libipq, wouldn't there by a rather large time difference for it? Another example might be if one packet matches a different local policy, say IPsec, and it gets tunnelled/encrypted/ something before the response being sent back. The reason this came to mind is that last week I hacked up some code to do port-knocking with IPFilter in a manner that to the casual observer will always look like every port is closed unless the right combination is hit and then only the last one is open. I was thinking this is pretty undetectable from a scanning point of view. Then for some reason I thought about the impact of the knocking ports sending packets up to user space before generating a negative reply and that this would be detectable at a packet level in the difference between the time it takes for normal replies to be returned vs these ones. I've since removed the need for the trip to user space just to generate the negative reply but it did get me thinking and I thought I'd share those thoughts :) Darren
Powered by blists - more mailing lists