nst_15
15
8.
ICMP Message Quoting
ICMP error messages should quote a small amount of information from the ICMP
message that caused the error.
The information is quoted when the PORT UNREACHABLE message is received in
the IP header + 8 bytes, with almost all the implementations. Solaris sends more
information than is needed and Linux even more.
9.
ICMP Error Message Echoing Integrity
When sending back an ICMP error message, some stack implementations may alter
the IP header.
If an attacker examines the types of alternation that have been made to the headers,
he may be able to make certain assumptions about the target operating system.
10. Type of Service (TOS)
When an ICMP PORT UNREACHABLE message is sent, an attacker can examine
the type of service field.
Nearly all implementations use 0 for this value, Linux uses 0xC0.
11. Fragmentation Handling
Different stack implementations handle overlapping fragments differently. This was
pointed out by Thomas Ptacek and Tim Newsham in their paper Insertion, Evasion,
and Denial of Service: Eluding Network Intrusion Detection.
Some implementations will either overwrite the old data portions with the new data or
vice versa, when the fragments are reassembled.
12. TCP Options
RFC 793 defines the TCP options. RFC 1323 26 defines the more advanced TCP
options.
·
Not all hosts implement TCP options
·
When sending a query with an option set to a targeted host, the target host will
set the option in the reply only if it supports it.
·
We can test all the options at the same time if we send one packet that
includes all the options.
When you examine the response packet, you look at the Options field for Options that
were set. These are the supported options.
Some operating systems support all the advanced options while others support very
few.
26
http://www.ietf.org/rfc/rfc1323.txt