On Wed, Sep 14, 2005 at 04:33:29PM +0200, I am WE4SEL wrote: > Another question is this fragmented option of nmap. Correct me if > I'm wrong but isn't fragmentation an IP feature that all modern > products should be capable of?
Yes, this is true. > So does nmap not finding the host with -f option enabled mean the > host (or maybe a device in between) is not understanding fragmented > packets? It may be so but those tiny fragments are rather blocked by some firewall in-between. If you want to find out, use hping2 to generate fragmented packets with different MTU (don't forget to inflate data so it does matter) in traceroute mode (hping2 -T) ... this way you should find out how far they get and where they are dropped or rejected. > And if yes wouldn't that be off standard (quick read through man > nmap does not inform of nmap beeing off standard)? Blocking tiny fragments is off standard but it is not uncommon practice to drop them because they usually don't appear in normal traffic and could be malicious (DoS or FW/IDS evasion). For more, see RFC 1858 - Security Considerations for IP Fragment Filtering RFC 3128 - Protection Against a Variant of the Tiny Fragment Attack Martin Mačok ICT Security Consultant _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
