the evil bit

Tue, 04/29/2008 - 19:04 — rhinovirus

The evil bit is an attempt to make securing remote systems easier by setting a flag in the IPv4 header to specify whether or not the packet intends to harm the destination or not. Here are a few excerpts from RFC 3514, the document introducing the evil bit:
If the bit is set to 0, the packet has no evil intent. Hosts, network elements, etc., SHOULD assume that the packet is harmless, and SHOULD NOT take any defensive measures. (We note that this part of the spec is already implemented by many common desktop operating systems.)

If the bit is set to 1, the packet has evil intent. Secure systems SHOULD try to defend themselves against such packets. Insecure systems MAY chose to crash, be penetrated, etc.
Devices such as firewalls MUST drop all inbound packets that have the evil bit set. Packets with the evil bit off MUST NOT be dropped.
So as you can clearly see, this will make internet security far easier. So created a small patch in the experimental nmap repository to make Nmap RFC 3514 compliant, it is unclear when this experimental patch will make it to the main Nmap distribution, as there has been some controversy over the bit, Nmap users, and how exactly to implement the bit in the past, here are some quotes from http://seclists.org/nmap-hackers/2003/0009.html:
1) How should Nmap determine evil intent? Perhaps an –evil option
would be handy, or maybe a standard environmental variable should
be used (SCRIPT_KIDDIE=1?) so that all security programs run by the
hacker set the flag appropriately? Or maybe Nmap could ship with a
hardcoded list of UNIX usernames used by known malicious hackers?
Maybe shady options like “decoy scan” and Idle Stealth scan should
always set the bit.
NMAP should remain agnostic, and set the evil bit to .5, neither on nor off.
This should please the white, grey and black hats.
I think perhaps a default option configurable at compile time. For example
if I include Nmap in a rootkit I may not be able to control the username or
environmental variables properly, and would be potentially violating the RFC
which would be very rude towards the end system I am using.
One can imagine –evil will be very welcome among the novice
hackers early in their careers, as they take those first hesitant
steps towards evil hacking.
Cheers,
Michael

Organization: Nmap Security Scanner Original: Source

Add new comment

Recent activity

Mommi mommi huger
Anonymous
08/28/2008 - 00:39
Anonymous
08/27/2008 - 12:13
sun shining well!!!
Anonymous
08/26/2008 - 11:49
Free links
Anonymous
07/23/2008 - 22:02
Earn Money in Just 3 Easy Steps
Anonymous
07/24/2008 - 21:37
Nice Work
Anonymous
08/16/2008 - 23:50
[resovled] Organizations page links don't work
kanwei
04/24/2008 - 14:45
Hello All
Anonymous
08/03/2008 - 21:22
Nice design
Anonymous
07/12/2008 - 21:17
Get geshi working on here?
skiquel
07/30/2008 - 13:23

Planet SoC

User login

Navigation

the evil bit

Recent comments

Recent activity