From owner-freebsd-net Mon Apr 16 18:57:26 2001 Delivered-To: freebsd-net@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 9833137B43E; Mon, 16 Apr 2001 18:57:22 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.2/8.11.2) id f3H1v4d87804; Mon, 16 Apr 2001 18:57:04 -0700 (PDT) (envelope-from dillon) Date: Mon, 16 Apr 2001 18:57:04 -0700 (PDT) From: Matt Dillon Message-Id: <200104170157.f3H1v4d87804@earth.backplane.com> To: Niels Provos Cc: Kris Kennaway , Wes Peters , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG, provos@OpenBSD.org Subject: Re: non-random IP IDs References: <20010416214611.6DA3F207C1@citi.umich.edu> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :No reasoning. You do not need the htons(). The fragment ids just :need to be unique. An htons() does not change that property. I dont :like that code very much. A variable-block-size cipher in counter :mode would do the job better. : :However, what many ppl do not realize is that you can use predictable :ip ids to anonymously port scan machines. Bugtraq talks about how to :do that. : :Niels. It's not worth doing. We would be introducing unnecessary cpu burn on every single packet we sent out, all to solve a problem that doesn't really exist. Most people doing port scans don't care whether they are anonymous or not, anyway. They just do the scans. Also, port scanning software has gotten a whole lot more sophisticated these days... usually people want to portscan a whole bunch (thousands) of machines all at once, but to prevent detection the newer programs randomize the port and host being tested on a per-packet basis so any given 'victim' doesn't actually see all that much traffic. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message