Re: ECN: Clearing the air

From: jamal (hadi@cyberus.ca)
Date: Sat Jan 27 2001 - 21:15:48 EST

Next message: Jens Axboe: "Re: 2.4.1-pre10 deadlock (Re: ps hang in 241-pre10)"
Previous message: Chris Wedgwood: "Re: ECN: Clearing the air"
In reply to: Chris Wedgwood: "Re: ECN: Clearing the air"
Next in thread: Pavel Machek: "Re: ECN: Clearing the air"
Reply: Pavel Machek: "Re: ECN: Clearing the air"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 28 Jan 2001, Chris Wedgwood wrote:

> On Sat, Jan 27, 2001 at 07:23:51PM -0500, jamal wrote:
>
> suggested blocking ECN. Article at:
>
> http://www.securityfocus.com/frames/?focus=ids&content=/focus/ids/articles/portscan.html
>
> the site is now ATM -- can someone briefly explain the logic in
> blocking it?
>

It is Queso they quoted not nmap, sorry -- same thing.
The idea is to "detect" port scanners.
Queso sets the two TCP reserved bits in the SYN (now allocated for ECN).
Some OSes reflect that back in the SYN-ACK (Linux < 2.0.2? for example
was such a culprit).
Queso could then use that information to narow down the OS detection.
I suppose the idea is to detect Queso and react to it ;->

cheers,
jamal

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jens Axboe: "Re: 2.4.1-pre10 deadlock (Re: ps hang in 241-pre10)"
Previous message: Chris Wedgwood: "Re: ECN: Clearing the air"
In reply to: Chris Wedgwood: "Re: ECN: Clearing the air"
Next in thread: Pavel Machek: "Re: ECN: Clearing the air"
Reply: Pavel Machek: "Re: ECN: Clearing the air"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Wed Jan 31 2001 - 21:00:28 EST