> It could confuse a NIDS. > However, luckily, this is an option so if the firewall man turn it on, he'll > probably talk with the NIDS man.
lol. I wrote that part of the scrubber. I also write IDSes for a living. IDSes *must* not be sensitive to increases in ttl. But the hard part is what to do when the ttl decreases and guessing if the end host will actually receive that segment or not. I suppose an anomoly detecting IDS could use TTL to try and dynamically determine topography but that isn't of too much utility. .mike
