[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
the thing about ping.
I am sorry, it is very true that I confused the IP datagram ID
with the ICMP id field. The confusion came from tcpdump printing
id thing with the -vvv and me interpreting it as the ICMP id.
It is cool that openbsd gives random IP datagram IDs. I was
playing around with couple of other OS's and figured out that Linux 2.0
increments it by 2, Solaris (all of them) and AIX by 1.
As a footnote; the PID of the process originating the ICMP
messages goes out. I've experimented and verified it; also it goes
backwards, kind of funny; but I do not see any serious vulnerability with
this.
Thanks everyone;
-C.Altineller <altine@ee.fit.edu>
> I believe you're confusing the IP datagram ID with the ID field in the ICMP
> header. Recently a technique for spoofing port scans was described on the
> BUGTRAQ mailing list that exploited the fact that most hosts incremented their
> IP datagram ID by 1 for every packet sent (search the mailing list archive at
> www.netspace.org for the complete description).
>
> In response to this, OpenBSD's datagram IDs were randomized.
>
> If you check our ping.c source file, you'll note:
>
> icp->icmp_type = ICMP_ECHO;
> icp->icmp_code = 0;
> icp->icmp_cksum = 0;
> icp->icmp_seq = htons(ntransmitted++);
> icp->icmp_id = ident; (ident set to getpid() & 0xFFF)
>
> I believe this is precisely how the sample ping program in UNPv1 is
> implemented.
>
> . _ _ _ _ . . _ _ . . _ _ _ . .
> : |-||-||<|_||\| |_|-||\/||-'|->|_-|_|_ DalTech, Halifax, NS, Canada
> `---------------------------------------- [http://www.biodome.org/~fx] -
>
>
>
- References:
- Re: ping.
- From: Aaron Campbell <aaron@ug.cs.dal.ca>