[prev in list] [next in list] [prev in thread] [next in thread] 

List:       intrusions
Subject:    Re: GIAC GCIA Version 3.3 Practical Detect(s)
From:       "Ronny Rietveld" <ronny () plcrietveld ! demon ! nl>
Date:       2002-12-18 16:35:31
[Download RAW message or body]

> Per Stevens (TCP/IP Illustrated, Volume 1, p. 8) a Class A is in the range
> of 0.0.0.0 to 127.255.255.255
> and Class B is in the range of 128.0.0.0 to 191.255.255.255; therefore,
the
> Class B comment should be restated
> to refer to a Class A network.

Ok. (Cisco even got a question about this in the CCNA exam ;-)

> The ID value of 0 is odd, it should contain a unique number to be used for
> the fragmentation of IP datagrams, when necessary.
>
> The sequence number - identifies the bye in the stream of data from the
> sending TCP and to the receiving TCP that the first bye of data in this
> segment rperesents (Stevens) - should likely be nonzero, it can be zero,
but
> should increment with subsequent packets.
>
> The ACK value should contain a value referencing the next sequence number
it
> expects to receive and should be nonzero if this process received a
> legitimate SYN packet.
>
> The WIN value should be nonzero, unless there is traffic congestion
> preventing the sending process from receiving packets currently.

Ok.

> Per Stevens (TCP/IP Illustrated, Volume 1, p. 171) - "A datagram destined
> for the limited broadcast address is never forwarded by a router under any
> circumstance.  It only appears on the local cable."  Due to the strong
> statement from one of the gurus, I doubt that this would be a configurable
> parameter with routers.  There is still the chance of modifying a router's
> source code, though, - it's only software.  However, this would probably
> only get your packets to the next unmodified router before the packet's
> progress is halted.

Good, 'limited' is the keyword here. Directed broadcasts can be forwarded
using options like ip helper address and ip directed broadcast. Perhaps it
is possible to bridge frames destined to the limited broadcast address, but
you correctly state that this is a per-hop process and will probably not
lead to a valid return path. (If required)

Good luck with your practical.

Regards,
Ronny


[prev in list] [next in list] [prev in thread] [next in thread]