Denis Ducamp wrote: [snip] > Now some systems protects against been used to spoof-scan : [snip] > . Linux 2.4.x : IPID is null if the packet is small enought to be carried > unfragmented in which case the DF (don't fragment) bit is set > . others perhaps ? Ah-ha!!! So that might be the cause of those bizarre signatures I have been seeing. Can anyone point me to documentation of this Linux-IP-stack-of-the-week feature? Would this and ECN (what looks to me like broken ECN) account for, http://www.securityfocus.com/archive/75/178231 -- Crist J. Clark Network Security Engineer [EMAIL PROTECTED] Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED]