nst_14
14
2.
The Bogus Flag Probe
Here, a SYN packet with an undefined flag set is sent to the targeted host.
Machines running the Linux operating system with kernel prior to 2.0.35 will keep the
flag set in their response.
Some operating systems will RESET the connection when getting this kind of probe.
3.
TCP Initial sequence number sampling
Finding patterns of the initial sequence numbers chosen by the TCP implementations
when responding to a connection request.
We can divide the answers into four groups:
·
Traditional 64k (older UNIXs)
·
Random increment (FreeBSD, DG-UX, IRIX, new versions of Solaris)
·
True “random” (Linux)
·
Time dependent modules (MS Windows)
4.
“Don’t Fragment Bit”
To enhance performance some operating systems set the “Don’t fragment bit”.
Monitoring this behavior can give the attacker more information about the target
operating system.
5.
TCP Initial Window
Some stack implementations have a unique initial window size on their returned
packets.
AIX for example is the only operating system using the 0x3F25 value. OpenBSD and
FreeBSD use 0x402E.
6.
ACK Value
In some cases IP stacks even differ in the value they use for the ACK field.
For example, sending a FIN|PSH|URG to a closed port. Most implementations will set
the acknowledgement number in the returned packet to be the same as the sequence
number received. Windows responds with an ACK field that is the sequence
number+1.
7.
ICMP error Message Quenching
RFC 1812 25 suggests limiting the rate at which various error messages are sent.
Only a few operating systems are known to follow this RFC.
An attacker can use this to send UDP packets to a random, high UDP port and count
the number of unreachable messages received within a given amount of time.
25
http://www.ietf.org/rfc/rfc1812.txt