|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Michal Zalewski (lcamtuf_at_dione.ids.pl)
Date: Fri Oct 18 2002 - 13:41:25 CDT
On Fri, 18 Oct 2002, Ofir Arkin wrote:
> There are protocols which you CAN perfectly understand and distinguish
> between legit and not legit traffic.
No, because, as I stated, this is not an either-or distinction. Simply
put, the presence or abstence of a legitimate traffic, or a specific
nature (sequence, target, type) of legitimate traffic can establish a
covert channel. ICMP ping with no payload, normalized options, etc, can
considered be a legitimate traffic, assuming your policy allows pings. Yet
the fact the host is pinged three times, as opposed to two, may establish
a covert information flow (practical for some purposes, not practical for
others).
--
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2002-10-18 14:38 --
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]