Did you have mod_conntrack enabled? I think that reassembles fragmented packets.
Paul
Michel Arboi wrote:
Yesterday, I was writing jolt.nasl and jolt2.nasl and discovered that my Linux desktop did not send any badly fragmented packet -- either too long (ping of death) or incomplere. My laptop was OK. The former is running a 2.4.20-gentoo-r5 kernel and the latter a "vanilla" kernel; maybe this is related to some kernel option, but I rather suspect one of the patches to be the cause.
So if you are running a non standard Linux kernel on his scanning
machine, I suggest that you verify that some mysterious patch does not
force the reassembly of all packets, even when the machine is not an
IP router. For example, log in as root, launch "tcpdump -n icmp host target" and "nasl -t target jolt.nasl"
This is not a big flaw, it will just break a couple of ACT_DENIAL or
ACT_FLOOD scripts.
-- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: [EMAIL PROTECTED] web: www.westpoint.ltd.uk
