[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
> It could confuse a NIDS.
> However, luckily, this is an option so if the firewall man turn it on, he'll
> probably talk with the NIDS man.
lol. I wrote that part of the scrubber. I also write IDSes for a
IDSes *must* not be sensitive to increases in ttl. But the hard part is
what to do when the ttl decreases and guessing if the end host will
actually receive that segment or not.
I suppose an anomoly detecting IDS could use TTL to try and dynamically
determine topography but that isn't of too much utility.