Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
The Internet

Net Security With "NanoProbes" 104

An anonymous reader writes that "Steve Gibson is working on something called NanoProbe technology. He describes it as advanced remote Internet security testing. " Lots of interesting stuff to think about in there (despite the fact that he says its designed for windows). Its quite technical, and apparently moving fairly quickly forward.
This discussion has been archived. No new comments can be posted.

Net Security With "NanoProbes"

Comments Filter:
  • Our potent NanoProbing Technology detects and profiles even fully stealthed targets, penetrates proxies and slips through NAT routers.

    It doesn't explain how this works, so I can't keep the word "hoax" from popping up in my mind. Unless, of course, he is suggesting that everyone run his weirdo TCP/IP stack on their routers to cause this stuff to work.

  • The reason why he's specifically targetting Windows is that his "NanoProbes" require a client-side server. His "NanoProbes" talk to the client side program. The program gets information from the computer, and sends it back to grc.com . He's cheating.

    'Round the firewall,
    Out the modem,
    Through the router,
    Down the wire,
  • Sure, nanoprobes may be fun at first, but you won't laugh once they've assimilated your hamster into the borg rodental collective and rebuilt your pc to signal unimatrix 001...
  • this is for windows machines, he doesn't care about your 1337 openbsd box...
    Lord Omlette
    ICQ# 77863057
  • Did you see the stack he's proposed/designed? His new implementation of ping doesn't appear to need the WeirdStack [grc.com] to work.

    On the other hand, he claims there that encrypting every SYN/ACK that goes out causes no overhead... which I might believe, until one gets SYN attacked.

    On another note: of course its Wintel Oriented. He discovered an x86 asm programming book, and was touched (in the head) by the Wand of Optimization, so he can hand-code assembly language better than a compiler can optimize it! Too bad he wasn't touched by the Wand of Porting...

    Quote from the site:

    Since Encrypted Tokens are created simply based upon the Client's IP address, there is no way for any malicious hacker to ever collect even a small fraction of the total four billion possible IP/Token pairs . . . which will all change, anyway, the next time the Server is restarted!
    So he relies on the server being restarted often to keep things random... Definitely Windows Oriented, then. :)
  • Goodbye dumbass. Although, at least you made the effort of saying something more than first post! Sort of.

    Behold the Open Source Sloth...
  • This discussion is good evidence that ignorance runs on all platforms... sigh.

    I don't think many that have posted inflamitory diatribes here have bothered to investigate Gibson's work thoroughly. Even on the Nanoprobe page itself, it's stated clearly enough for anyone that cares to read. I let Gibson speak for Gibson:

    Good question . . . because it is NOT for everyone.

    The NanoProbe Technology, like all of my development work and the content of this web site, is highly targeted toward the Microsoft Windows client universe.

    I know fully well that the Internet was first the domain of Unix and Unix-derived machines, and that such machines still dominate the server space. But, unlike most typical "Internet scanners", this system is not oriented toward locating the vulnerabilities of unknown machines.

    It is first, and foremost, a Windows client security analyzer. It has this bias because we can do a significantly better job for the majority of today's Internet users -- who are Windows users -- by focusing upon the specific needs of that platform to the exclusion, where expedient, of all others.

    (my emphasis)

    It's called prioritizing, folx.

    Gibson's aiming at this group of people for a very good reason; it's where the biggest problem is. If he can take steps to lessen that problem ... we all win. Fewer vulnerabilities == a better net.

  • I would prefer larger ass probes. What's the point of getting f'ed up the backside if you can't feel it?

    Behold the Open Source Sloth...
  • Just open a 'dos' box, type "format c:" but don't hit return yet, then compose a mail message to your 'target victim' and attach c:\windows\command\format.com to it, then - this is the tricky part - hit return in the dos box, answer 'Y' and hit return, then quickly hit 'send' in your mail program, but only real l337 h4x0rz can do it properly, wannabees and luz3rz end up formatting their own drives!

    That reminds me of a text file going around in the mid 80's about how to upgrade your modem from 300 to 1200 baud - open the case, clip out some components, wrap some wire around a pencil and solder to some traces and you have - a dead modem.
  • I *think* he's describing the technology he wrote behind Shields Up! He alluded to a "new, high-speed method" for scanning IP ports reliably when he created Shields Up! and promised he would draw back the curtain at some point and explain how he did it...

    In short, I think this essentially *is* Shields Up...

  • Do nmap or Queso have specially hand-crafted packets? I think we all know the answer to THAT one! When I read this article I thought "Oh my God! They have specially hand-crafted packets! That must make their technology far superior to the mass-produced factory packets of programs like nmap and queso! I think I'll buy 2000 copies for my company immediately!
  • UNIX users, tending to be engineers, will immediately see through the BS he's spreading and laugh uproariously at his claims. Windows users, tending to be (on average) far less technical, should be able to drive much higher sales. Personally, I was immediately reminded of a used car salesman's pitch when I read this.
  • You're right, it doesn't come right out and say, "Our software will read information from your computer, and then send the information back to our site in order to bypass any firewall or NAT box," but if you read the entire document carefully(it was obviously carefully written) it all leads to that conclusion. I've been wrong before, but I don't think I'm wrong on this one. There are dozens of little clues here and there, but they all fit in very nicely.
    'Round the firewall,
    Out the modem,
    Through the router,
    Down the wire,
  • by Inoshiro ( 71693 ) on Friday September 29, 2000 @07:37AM (#744359) Homepage
    It's funnier than that. Packets which are source routed are dropped by all sane TCP/IP implementations. Ditto for any with blank sequence numbers. Don't worry about some stupid sites blocking ICMP (ahemslashdotahem) as a form of "Security" .. nmap and other sane scanners just go ahead and try to TCP connect to a WellKnown port to get an ACK or an RST packet back. No big deal.

    Life is not like Gibson Sci-Fi because people are not that ignorant of technology! Though there are certainly enough that try to prove me wrong :-/
  • [snip] each packet is carved from only the finest oak by third-generation master craftsmen in rural Vermont and comes with a signed certificate of authenticity.


  • This is exactly true.

    See, Steve used to have a column in InfoWorld back in the late 80's. (Last century.)

    Over time I was amazed at how I came to distrust everything he said.

    He was obviously extremely biased against Apple and Macintosh, all facts be damned. You must understand that this was a point in time when Apple was way ahead of the rest of the industry and had a market share (about 25%) that you couldn't ignore. And Apple was way, way bigger than any of the next biggest PC makers. Apple spun out a software subsidiary (Claris) that was bigger than the biggest PC maker (Compaq at the time). I say all this just to set things in context in 1987.

    Anyway, in this context at that time, the things that Steve was saying was just hysterical rantings of his wishful thinking. It became clear that he just hated Apple (or Macintosh, or something). I have no idea what his issue was with it.

    Needless to say, all this clearly caused Steve to loose all credibility in my eyes. I read InfoWorld for information. Clear. Truthful. Fair. And unbiased. If Apple is doing something stupid I want to hear it. If Apple is doing something great I want to hear that. Ditto with Microsoft. Ditto with everyone else in the industry.

    Hmmm, just thinking back to all this, it makes me wonder if InfoWorld's online archives might actually go back this far in time? It would be interesting to see a page of links with Steve's incredibly stupid rants. Of course today given the incredible stupidity of Apple beginning in 1993 and continuing till today, Steve's rants wouldn't seem quite as incredible as they did at the time.
  • "2) Name a router that would even pass such an IP address."

    Any router will, as long as it's been told to.

    The trick is that most of the internet's routers know *not* to route those addresses...

    If you're on RoadRunner and I'm on RoadRunner and I tell my gateway that to hit the 192.168.11 network, it needs to route packets to your gateway, it will, and maybe I can get into your network, assuming the two nodes are on the same segment and you don't have your gateway set up to deny incoming packets to those addresses.

    But the point is, unless Mr. Gibson *is* on Roadrunner and his machine is sitting "right next to mine" on their network, no, there is absolutely no way his packets are going to get through my firewall to the machine at behind it. They wouldn't get through anyway because I've told my firewall not to accept new connections to internal addresses.

    If any of what he's saying has any basis in reality, he's just deprecated the use of firewalls since the whole *point* of firewalls is to restrict certain traffic.

    I have the feeling that we're all still pretty safe though...


  • You're exactly right - he *is* suggesting that people install his weirdo software to get his "NanoProbes" to work. All his site will do is send requests for information to the client-side program(which, of course, has unrestricted access to the computer in question), and then the client-side program fires off the results back to grc.com. Bloody ***wipe. I used to respect grc.com for their ShieldsUp! service, but this is going too far.

    'Round the firewall,
    Out the modem,
    Through the router,
    Down the wire,
  • mount, touch, make, date, swapon and swapoff, I'm sure there's more....
  • isn't this just a marketroid way of saying twice as fast?

    Nooo... it's all to do with Virtual Chaos [virtualchaos.org]!

  • I have a couple of problems. First, they wrote it in assembly language. That will itself will make it processor dependant, and not just OS dependant. What garauntee do they give that there is not any back door code? How long will it take script kiddies to make use of this?
    Good one dood. Now you just have to get slashdot to use NanoTechnology(tm*), designed to prevent marketroid articles from being posted, we'll all sleep better.

    While I personally don't see the use for this nano fleet of pot-smoking cyber spiders, beyond raising money for more dope, the article clearly demonstrates how I too can make lots of cash without doing anything.


  • He does admit that his GENESIS idea is not a new one, and is basically the same thing as tcp syn cookies which are available in linux, though turned off by default.

    Looking at the article on syn-cookies (which he links to from his GENESIS document) it says that you can enable syn cookies in linux by echo 1 > /proc/sys/net/ipv4/tcp_syncookies ... I didn't have this file already, and I noticed that Kernel 2.4 has an option to turn syn_cookies on.

    My question is, if this has been implemented for so long (says in SunOS since 1996, Linux in 97, then how come so many sites have been brought down by DoS attacks?
  • As soon as this guy mentioned "temporal density", it became painfully obvious that he's been watching Star Trek too much.
  • Mini-review states:

    While all this sounds quite impressive to the uneducated, this really comes down to a mix of things that could be done in the UNIX world with a combination of nmap, netcat and forcing anyone who you want to scan to connect to your web server.

    If someone really saw a need to do this, all that would really be needed would be Apache with a custom module as the web server (having the scanee connect to your web server is what gives you one of the paths back through NAT firewalls), some nifty perl scripts to control netcat (to generate the "hand-crafted" packets and record the results), and maybe a nice MySQL || DB2 || whatever database on the back end for long term storage of your results.

    Heck, with a custom Apache module and a database on the backend, you could set a cookie in the scanee's browser so that you could automagically let the scanee pull up the results of the last few scans you did on on him.

    The summary: I feel for anyone who has spent that much time coding custom TCP stacks, custom webservers, and custom who knows what else in ASM, just to do what perl, apache, a bit of C++, a simple DB and netcat could do. What I feel for such a person will remain unstated.

    There is no backbone cabal.

  • or am I the only one who thinks this is clearly a hoax?
  • ...each packet is carved from only the finest oak by third-generation master craftsmen in rural Vermont and comes with a signed certificate of authenticity

    But are they numbered? I want packet 31337.

  • Oops, i was too hasteful on my judgement... He adresses that at the end of his paper - "Acknowledgement of previous work". He also points to an alternative location for description [cr.yp.to] of syncookies.
    GENESIS is a similar idea to syncookies, thus giving robust SYN flood protection to Windows platform.
    It doesn't, however, eliminate the idea of Distributed Denial Of Service attacks.

    BTW, we should rather call them Distributed Internet Load Denial Of Service attacks, that would make all those sensational news headlines much more funny (imagine a "www.hotgrits.com was taken down by DILDOS attack?" headline?)
  • *ROFL*

    Recently, there has been some interest in classic Slashdot posts, and that whole "specially hand-crafted packets" idea reminds me of this post [slashdot.org].

    It's sad to see the actual dumb marketing guys imitating the trolls, though.
    pb Reply or e-mail; don't vaguely moderate [ncsu.edu].
  • "It is important to understand that the NanoProbes themselves, as hand-optimized IP packets, only serve as the agents of the orchestrating NanoProbe Technology. It is the synergistic combination and timing of NanoProbe swarms that have an aggregate "NanoProbing" effect upon the target machine."

    This article, while hand-optimized, only serves as an agent of selling useless NanoCrap technology. It is the synergistic combination of marketdroid swarms that have an aggregate "NanoSales" effect upon the target market. Give me a break!
  • ... it still looks like a tiny packet with no data. Wonder if you can use these to take advantage of an underflow error?
  • This is the biggest joke I've ever seen. This guy has taken technology that already exists (*cough* nmap, anyone?) and encased it with a bunch of buzzwords that ultimately don't mean anything. Lose the crap and tell me what it actually DOES.

  • After getting over my initial disgust at what was written, I went over it again. This <sarcasm>amazing innovation</sarcasm> relies on the client(the computer being scannd) to install software. That's how the claim to "bypass" NAT and firewalling. So, this test will be totally unrealistic(as far as testing to see if hackers can get into your carefully setup system). For a hacker to do the same thing, they'd have to get you to voluntarily install some software(which, admittedly, is not out of the realm of possbility). Anyways, this is a crock for the most part. I suggest the fellow who wrote the paper reply to some of these posts.

    'Round the firewall,
    Out the modem,
    Through the router,
    Down the wire,
  • Am I missing something? What is the big deal?

    Our NanoProbes are able to (benignly) penetrate a user's stealth firewall to verify the presence of the system hidden behind. Since our NanoProbes are able to bypass stealthing

    He seems to claim that his packets cannot be blocked....watch me (or anyone else) block them. Seems high on ego, low on content.

  • i've heard of something similar geared for mac tech but i'm having trouble tracking it down. anyone hear of that? - grovertime [mikegallay.com]

    1. LINUS [mikegallay.com]
      1. & LUCY

  • It seems to me that this fellow just makes his money off of selling security snake oil...
  • by spam-o-tron mk1 ( 237603 ) on Friday September 29, 2000 @07:20AM (#744382) Homepage
    Does that mean you sit there tapping out the packet contents with your space bar?

    No, it means each packet is carved from only the finest oak by third-generation master craftsmen in rural Vermont and comes with a signed certificate of authenticity.


  • Is it just me, or is grc's "new and innovative" Genesis project the same as the SYN cookies that have been around for a few years?
  • hand crafted packets?

    Does that mean you sit there tapping out the packet contents with your space bar?

    Is this anything more sophistacted than ping?

    Too bad it's for Windows only, it would take a dedicated Linux hacker minutes of grueling work to send those packets out /dev/eth0.

  • After the recent turn of events on slashdot, it could have been Hemos. Maybe the hackers weren't as benign as we were led to believe. It's the classic switch and bait. Tell them we broke in and how we did it. While they're scrambling around trying to patch the holes, they'll never noticed we swapped names.

    And now for a public service announcement from Jon "CmdrTaco" Katz...

  • I'm at a bit of an advantage here - as I've been following this development on the Gibson news-server. The impression I've got from there is that it's definitely client-browser driven (the initial product anyway), with specific 'sniffing' for MS vunerabilities (netbios ports, trojan open ports, personal firewalls etc). Still interested to what will happen when I get my *NIX box inbetween though....
  • This could lead to the next wave of hacker attacks.
    What can we do to stop these little pests from lurking on our systems?

  • theres no such thing as too much star trek
  • by Anonymous Coward

    CmdrTaco, please note it's "It's", not "Its".

  • Maybe I'm missing something. Even his example packet DOESN'T WORK!! It says right on the page that he never received a response...
  • by Thanatos ( 15980 ) on Friday September 29, 2000 @07:24AM (#744391)
    Er- I love how he says that packets can move at twice the temporal density. Ignoring the units mismatch (does this mean I can now read slashdot at twice the pressure, or get in my car and do 0-60 at twice the volume?), isn't this just a marketroid way of saying twice as fast?

    The whole thing strikes me as self-congradulatory drivel. He may have found a way to do something useful/cool, but it's hard to see through all the bull splattered on the page.
  • This guy really has his heart in the right place but maybe there is a bit of (yet) undeserved self praise
  • "The use of our NanoProbe Technology allows us to penetrate transparent web proxy servers and NAT (Network Address Translating) routers to directly probe the host machine's complete interconnection environment. This technology allows us to resolve the pre- and post- NAT router IPs, and the pre- and post- transparent web proxy IPs."

    Last time I checked you couldn't do that with a normal ping... not even a hyped up ping packet.


  • Steve Gibson knows exactly what he is doing, look at this FUD on his website now:
    "News Flash: SlashDot Discovers NanoProbes I have been expecting this to happen, though it took longer than I expected: An entertaining discussion thread on SlashDot was launched Friday, Sept 29th, by Commander Taco. For readers of my pages who don't know, SlashDot is a popular hangout for the (younger) Linux crowd where they have lots of fun and share ideas. SlashDot's sub-head reads: "News for Nerds. Stuff that matters."
    It tends to be light on fact and heavy on invective and misinformation - especially where anything non-Linux, Microsoft, or Windows is involved. But it is, after all just a discussion board, and it always entertains. Reading through all of the angst this page has generated makes me wish that I had this stuff all running so that they'd have something more to play but that will happen soon enough!"
    Steve does write excellent code -- and frequently his programs are more 'cutting-edge' then most others. BUT -- he knows that he is just talking about port-scanning and OS Fingerprinting. When I questioned him at steve@grc.com, he replied twice to my inquiries with a whole lot of fluff / bloat-speak. He writes great code -- and he's not crazy. He's just using a very different marketing strategy.
  • While I personally don't see the use for this nano fleet of pot-smoking cyber spiders, beyond raising money for more dope, this /. article clearly demonstrates how I too can make lots of cash without doing a damn thing.

  • by pb ( 1020 )
    Sending non-standard packets to get information; sounds kinda familiar. Like nmap, or queso.

    But I suppose when you want to sell something like this for a lot of money, the Marketspeak gets pretty thick. I think it's really funny that this is specifically a Windows hack^H^H^H^Hprobing tool, too.

    Ah well, it's not as bad as "Digital DNA"; I spent a good afternoon trying to find out information on that until I realized that it meant nothing, stood for nothing, and is basically a stupid abbreviation for "Motorola Technology". They had PRESS RELEASES full of MARKETDROIDS saying things like "It's DNA of the digital variety". WTF??? Grow me a digital person, marketdroid!
    pb Reply or e-mail; don't vaguely moderate [ncsu.edu].
  • "Steve Gibson is working on something called NanoProbe technology. He describes it as advanced remote Internet security testing. "
    - Yep, nmap for windows. Pretty cool eh?

    Lots of interesting stuff to think about in there (despite the fact that he says its designed for windows).
    - It was a no brainier for me, I think you may want to read more of the stories you post CmdrTaco ;)

    Its quite technical, and apparently moving fairly quickly forward.
    - Quite technical for a newbie windows user, or a serious 12'oclock flasher (someone who has every appliance in the house flashing 12'oclock)

  • Umm, it may be true that the resultant code from a compiled c program will be optimized very well -- but it is still very true that writing your own asm will result in MUCH less actual code to do the same work -- especially in some tight loops. Thus, this code should run faster with only 1/2 the calories.
  • This was definitely a somewhat silly annoucement; it sounds early. Basically though, proving that windows blows is an honorable goal.

    Temporal Density is a perfectly fine unit. If you can get twice as many of these packets through the same bandwidth in a given time, you have twice the temporal density. What he's saying about nanopackets is really that he's done lowlevel work by hand to get the packets as small as possible. This is how beautifully efficient things are done.

    NP is not his primarly technology. His primary technology is the methodology of the floods. He's simply claiming they are twice as fast and possibly more capable, because he's using the best possible substructure for his floods, nanopackets.

    Then what he does after that is give out a bunch of things it can do, without saying HOW, either because it's proprietary or because he doesn't know yet. This is why /. eats him alive, since anything ever done without full disclosure at any time is naturally the root of all evil. (actually, antibacterial soap in the home is the root of all (some) evil. www.cdc.gov)

    He did not say it couldn't be blocked, he said it worked on stealthed computers. Certainly, if a secure router routes no outside packets, ever, then there can be no TCP/IP vulnerability (except in router security, or in there being another router or takeable machine on the internal network) But a stealthed machine which at some times has some interaction with the outside world has to respond to some kind of packet sometime, by definition. It would certainly ignore ping. Whether he succeeds at this I don't know, but it certainly is theoretically possible to succeed, at least in any specific case. (and a sufficiently long list of specific cases...)

    I have at least 1 issue with GENESIS, which I should probably mail to him. In principle, he seems to have found the theoretical limit of this type of security inspection (@ packet level only) and if it all works as planned, it'll be great.

    But he basically needs to provide more details, or not have a press release, or at least have a higher fact/buzzword ratio.
  • by Sloppy ( 14984 ) on Friday September 29, 2000 @07:54AM (#744400) Homepage Journal

    There must be a killing to be made by selling network tools that caress, fondle, grope, kiss, lick, and suck.

    "Our potent NetGrope Technology can unhook the access control on the back of most firewalls, thereby letting you caress the bouncing packets beyond."


  • Er- I love how he says that packets can move at twice the temporal density. Ignoring the units mismatch (does this mean I can now read slashdot at twice the pressure, or get in my car and do 0-60 at twice the volume?), isn't this just a marketroid way of saying twice as fast?

    Definitely not twice as fast! Saying you can send two packets in the time it takes someone else to send one does not mean yours move twice as fast. The time it takes will be the same. He's just claiming that since his packets are smaller, he can send "more" in the same time.

    And his dials go to eleven...

  • "Lots of interesting stuff to think about in there (despite the fact that he says its designed for windows)."

    Yeah, and I suppose that we should only support new technology and programs that aren't wearing the Microsoft fetters, right? This bible-thumper's bias is going a little too far. It seems that on Slashdot, any idea, however promising it may be for the future, is shunned if it doesn't run on Linux. And I suppose that Rob's gonna say that the next DOOM will suck because it's being designed on Windows 2000. Open your mind and take those blinders off!

  • No Way! It's not written for Leeenucks, and therefore is the work of evil Satan himself!!!

    Geez, you'd think that CmdrTaco was 0wnz3r3d by an anti Microsoft company or something...

  • Anonymous, please note: Spelling and grammer errors only count when they're made by pro-Microsoft people.
  • The description of his Genesis technology seems somewhat familiar to me.
    To be specific, it sounds pretty much like the TCP syncookies support in the Linux kernel, however I can't verify that thoroughly because the link to docs that's given in the kernel's config help (ftp://koobera.math.uic.edu/syncookies .ht ml [uic.edu]) can't be reached currently.

    From the kernel config help:
    SYN cookies provide protection against this type of attack (SYN flooding) . If you say Y here, the TCP/IP stack will use a cryptographic challenge protocol known as "SYN cookies" to enable legitimate users to continue to connect, even when your machine is under attack. There is no need for the legitimate users to change their TCP/IP software; SYN cookies work transparently to them.

  • Isn't every IP packet intention-directed? AFAIK, you can't have an IP destination of *.*.*.*.

    Well... we can't have *.*.*.* but we sure used to be able to with a spoofed source address which caused some really groovy blue stuff.

    But I agree, it's marketting speak for traditional methods of network diagnosis. Except for the potentially interesting bits of hand crafting packets so that they are as small as possible and thus able to generate twice the system load for a given bandwidth.
  • ..I couldn't find any links to the nano-project on the main site ..but I didn't look that hard.. maybe this initial article was describing it?

    Select the SHIELDS UP link from the home page, also have the site do the port probe. A comment there hints at the nanoprobe technology. Doesn't anyone read past the first paragraph any more? :-(

  • Um, not sure that's what the site says..... True, it reports: "Therefore, in the future we will offer an advanced, Windows-only, client-side NanoProbe Agent for use in concert with our server-side NanoProbe Technology.", but the majority of the page refers to the scan being initiated from the server to the source address of the browser. Steve
  • SYN Cookies and this GENISIS token business are used to defend against SYN floods - or at least allow 'true' packets through the noise during an attack. There are a lot more types of DOS and DDOS attacks than SYN floods - unfortunately.
  • Thank You. I think Steve is pretty sharp, even if a bit prone to hyperbole.
  • The thing is he doesn't sell this stuff. He gives it away. He makes most of his money off the excellent spin rite software.
  • No, it means each packet is carved from only the finest oak by third-generation master craftsmen in rural Vermont and comes with a signed certificate of authenticity.

    Do you know how many packets you've generated with that post? Probably 20 at least, and you want to make them out of oak now?

    It isn't bad enough that we're deforesting the Rain Forest for hamburgers and rainforest crunch, now we're gonna deforest Vermont just so we can have hand crafted Oak packets? Do you know what that will do to Vermont's ecosystem? Where will the smelly phishphans live if you cut down their trees?

    We all need to seriously think about recycling our packets, designer hand crafted oak packets are a luxury mother earth can not afford!!!!
  • Yes, read Page 3, "prior work". Seems he discovered SYN cookies after he had written the article...

    It looks like the only difference between his "Genesis" thingy and SYN cookies is that he's using RC5 encryption, which is more computationally intensive than the MD5 hashes used by the Linux SYN cookie implementation...

    Those aren't compiler warnings, they're suggestions...
  • On the face of it, and based on a cursory read of the article, not the worst idea at all. And this guy definitely seems to have his heart in the right place on several issues.

    Still, I'm not entirely clear as to why a bias towards Windows platforms seems to be such an important issue. Is there really that much difference in the requirements for a UNIX box? Given the number of Apache servers out there, I would think that ignoring UNIX platforms is a less than wise decision.

    Still, he does describe the theory behind the approach. I don't doubt that there will soon be similar efforts for non-Windows platforms, if this method holds up to its promises. Invulnerability to DDoS alone is motivator enough.


  • by Signal 11 ( 7608 ) on Friday September 29, 2000 @07:27AM (#744416)
    Let's see, they probe, crack, hack, sniff...

    What kind of pervert thinks all this stuff up?!


  • There goes another program for security, and immediately there will be another breaking that .
  • Yes, slightly off topic here, but I want to understand how this could work. I use IP masquerade and Linux firewall at home for security.

    What is a good source of info on NAT and how it works? What I don't understand and can't seem to find out is how returning packets get to the correct machine. (they are in responce to packets which to the outside world are all coming from the same IP address) Does each go out on a different port or is some other trick used?

    I allow no incoming new packets (i believe) because I have no servers. But understanding is golden. Even a book to read with info about this would be nice


  • . . . make sure that default passwords aren't used and slap the heck out of the folks with "God" access when they aren't? Now that's something that's needed.
  • by dbarclay10 ( 70443 ) on Friday September 29, 2000 @07:29AM (#744420)
    From the web site:

    "Aren't NanoProbes just IP packets?

    Of course they are."

    I think that just about sums this up. They've put a fancy name on an existing technology, and claimed "innovation and invention." 'nmap' uses this sort of thing every day, it seems. Sure, they may have tweaked the packets to elicit specific responses from the target, but how is that any different than existing fingerprinting techniques? I don't think it is(although, I'm don't really know a whole heck of a lot about this stuff).

    I used to really respect GRC. Their "ShieldUp!" was pretty darned cool, but these announcements all sound like bloddy half-baked press releases. I could be proven wrong, but this sounds really lame.

    'Round the firewall,
    Out the modem,
    Through the router,
    Down the wire,
  • by Amrik ( 42170 ) on Friday September 29, 2000 @07:29AM (#744421)
    That page is so full of marketroid(tm) rubbish, I can't make any sense out of it. It seems like an implementation of tcp/ip fingerprinting, but enhanced with drug abuse by the author.

    I suppose you can't underestimate the power of catch buzzwords. Transmeta couldn't raise any finance until they renamed their tech to CodeMorphing. The BDU's will probably fall for it.
  • by Sea++ ( 33031 )
    "If this particular probe were
    to be dropped into the Internet, it would route itself to the machine at IP address
    [ ] which is the United States NSA (National Security Agency). This
    NanoProbe asks the machine to verify its existence on the Internet."

    Wow! You mean you're writing ICMP? Sounds cool!

    Really, "self-routing"? Um, so I guess if I use just these I don't need routers. Sorry, but self-routing doesn't work with dumb media. So he figured out how to cram ICMP type packets into smaller packets. So?

    "While you wait, real-time, operation"

    Yeah, ping just takes so damn long to run...

    It think perhaps this guy should go back to writing his newbie-helpers and quit trying to play in the big leauges.

  • These are the voyages of the Starship Enterprise...

    Its five year mission to explore the limitations of the Miscrosoft Windows Client Universe."

    Christ, this sounds like something out of Star Trek.
    On the other hand, a concerted effort to show how
    insecure the M$ is isn't necesarrily a bad idea.

  • by drenehtsral ( 29789 ) on Friday September 29, 2000 @07:56AM (#744424) Homepage
    So what we have here is somebody who has taken the idea of portscanning, promisc detection, tcp fingerprinting, etc... and then injected it with many many drugs...

    Wonder if this is any relation to _THE_ Gibson? Would be fitting wouldn't it...
  • (Not sure whether his program is open osurce or not, but answer the question)

    Open source is about scratching an itch that you have. Steve Gibson is a windows user. He has an itch. He's scratching. Oh hell's yeah.
    Lord Omlette
    ICQ# 77863057
  • Launched by our servers, they silently route themselves across the Internet, always heading toward their destination.
    This is just atropomorphistic description of data being routed over the Internet between its networks.

    This reminds me a funny story of my not-so computer savvy friend who has a destructive script-kiddie mentality. He wanted to send someone a trojan (to format his HDD) by e-mail. He asked me if he could run it on his computer and send it running to someone else's...
  • by Anonymous Coward

    You may have heard that Slashdot was recently "hacked". The preliminary stages of this hacking were made possible with nanoprobe-like technology.

    I, Bob Jones III, was part of the elite "hacking" team. I added a module to the "lameness filter" that prevents the following kinds of posting errors:

    • Blasphemy
    • Homosexuality
    • Witchcraft
    • One-World Government
    • Catholicism
    • Moral Relativism
    • Secular Humanism
    • Darwinism
    • BSD
    • Rap music
    • Abortion

    Mr. Taco: It is hopeless to try to correct this error. I have added this code block to the firmware of your RAID arrays, so if you erase the module, it will be instantly rewritten. I am doing this to save the souls of all Slashdot readers and lead them toward CHRIST.

    Bob Jones III [goatse.cx]

  • Hi Steve, Sounds like a wonderful idea, but aren't you forgetting that the first SYN/ACK we send might get lost and we never send it again - since we don't know nothing about it? This will mean that every connection where the SYN/ACK is lost will fail. I have no idea what's the chance to this happening, but it does sound like you are disobeying TCP standard here a little. Still cool though ;-) Regards, Gilad Ben-Yossef http://benyossef.com
  • And they will release the NanoWussname, and they will roam around the Internet, eat away your firewall, your NAT box, your Windows box, and live to tell the tale.

    Purely speculating, I would presume that what they send are fragments of packets, source routed IP packets, etc. etc...

    They say they maintain a connection with the probed host - IMO they use a legit way to pass your NAT (for instance a web server inside your private network) and then embed their special "hand crafted" packets inside the stream which try to fool the server itself to route the packet elsewhere, inside the network. The "swarm" concept indicates they will probably scanning your internal IP range using this technique or some other.

    May be routers or firewalls should nowdays remove any interesting IP options, or even deny them.

  • by Idimmu Xul ( 204345 ) on Friday September 29, 2000 @08:02AM (#744430) Homepage Journal

    Could this nano-probe technology be Steve's fabled project x?

    PROJECT-X's display will expose crucial information that's been hidden inside your computer by people who have their best interests in mind, not yours.

    It automatically finds easter eggs?

    I DO know how bizarre this sounds. "Hidden truths?" "Other people in control?" "Unnerving secrets buried in our computers?" I wouldn't blame you for thinking that I'm being deliberately over-dramatic, and you might wonder what I've been smoking out here in Southern California. Or whether, perhaps, I've become a little too involved with the X-Files TV show.

    Currently I'm thinking about dolphin sex.. but that's what happens when you read /. posts :-(

    I don't yet know for sure that I can even do what PROJECT-X requires..

    This is the line I like the most.. it sounds like the guy is trying to write the all-in-one point-and-click hacking tool or something. 'Yeah.. just type in the IP address and click go.. you'll automatically be placed in a shell account as root.. or if it's windows.. NetBus will automatically be installed for you.. ??'

    Has anyone joined the mailing list to 'apprised of my progress'?

    ..I couldn't find any links to the nano-project on the main site ..but I didn't look that hard.. maybe this initial article was describing it?


    - I don't have a .sig .. I type this in by hand each time!

  • You left out 'finger'.

    -- ShadyG

  • I'm not quite sure what CmdrTaco is talking about. This affects Linux users - it affects all users. The idea of a "shrunken" packet is not terribly new, but speedwise having a packet be as small as this, and still contain a variety of extra useful information about its destination and whereabouts, would be useful in pinging servers.
  • With a name like "Nanoprobes" it sounds more like something William Gibson would be up to. Hello marketing..

  • Isn't this the same moron that claimed to have invented Syn cookies the other week?

    His credibility was bad already. This ridiculous drivel is even more over the top. I'd like to see him probe my internal network to "reveal my machine's TRUE local private-network IP address". Assuming he could (OpenBSD with NAT/IPFilter providing no services; doubtful), he would discover that my 'secret private network IP' is something in 192.168.0.*. There's some pretty useful information: an internal network that doesn't use valid IP addresses!

    Enough submissions about this guy's 'advanced technology' already.

  • by martin.roesch ( 226831 ) on Friday September 29, 2000 @09:19AM (#744435) Homepage
    Ok, so in the "broken out" packet dump at the bottom of the page, he's got several errors.

    1) The TCP offset (TCP header length) is set to 6, which means that the TCP header length should be 24, and the packet shown only has a 20 byte header.

    2) The Sequence number is 0, which should never happen on a SYN packet and would be easily picked up by any intrusion detection system (like Snort [snort.org]).

    3) The IP datagram length field shows 44-bytes, but once again we're only shown 40-bytes. Where'd those other 4 bytes go?

    Beyond that, this is a standard SYN packet, hardly revolutionary.

    The packet at the top is a simple ICMP ECHO packet (ping), which is presumably being filtered at the NSA's gateway. That's why a response has "never been received"... Ooh, spooky!

    The other claims are so much fluff. Temporal density? Just because the packet's got half as many bits as the equivalent ECHO packet from MS doesn't mean that the extra nanosecond saved is going to be added onto your life.

    These packet's aren't stealthed by any measure, they're only stealthed to the uninitiated because most peoples eyes glaze over when confronted with binary data. What we've been presented with is a an ICMP ECHO packet and a TCP SYN packet.

    Let's look at the other claims:

    "While you wait, real-time operation"
    Explanation: When you execute the program, it runs and reports back to you.

    "Continuous host-presence verification"
    Explanation: When you run the scan, it pings the target to make sure it's up. Contrary to the claims on the web page, every other scanner under the sun that's used for any large scale application (like nmap, CyberCop, ISS, etc) does this.

    "Comprehensive host IP address determination"
    Explanation: Resolves DNS names, can make other DNS queries.

    "Host stealth technology detection, penetration, and appraisal"
    Explanation: If the host is discovered, it will be scanned! If the host can be reached through the firewall, it'll also be scanned. If the firewall is filtering the traffic, the program will attempt to get through but probably won't unless some well known vulnerability can be exploited.

    "True firewall, versus simple packet filter, discrimination"
    Explanation: They see if their packets are rejected outright or if some sort of connection establishment is allowed.

    "Special "Half-Open" TCP connection "SYN" probing"
    Explanation: This was special about four years ago, but now it's just called a SYN scan. This is different than a full SYN scan in that the connection is dropped after receiving the returned SYN-ACK packet instead of letting the connection complete. This is different from a free port scanner like nmap in exactly 0 ways.

    "Advanced TCP non-connection "ACK" probing"
    Explanation: They can do ACK scans as well. This is completely revoloutionary unless you've used almost any other free scanner in the past four years.

    "Fragmented and reordered packet filtering vulnerability assessment
    Explanation: nmap + fragrouter = this capability, plus more!

    "UDP/ICMP reflection response probing"
    Explanation: If you send a properly formatted UDP packet to port 137 on MS boxen that allow it, you'll get a response back. If it's not available, you'll get an ICMP UNREACHABLE. My god, the amazing powers of this software aren't to be believed!!

    "Differential source IP analysis"
    Explanation: IP spoofing! Revolutionary! Nmap has only had this capability for (at least) four years, but these guys have made it revolutionary by sticking it in their product to jack with badly misconfigured firewalls. Amazing!

    "Personal Router vulnerability assessment"
    Explanation: If you're behind a NAT, there's a chance that the nanoprobe may notice!

    "Last-Hop Router vulnerability assessment"
    Explanation: If your router/NAT is badly misconfigured, a nanoprobe may be able to see some of the other addresses that the thing is configured to talk to.

    "Active protocol testing"
    Explanation: Application layer testing, such as trying to brute force passwords on SMB shares. This has never been done before, unless of course you count the NetBIOS Auditing Tool (nat) program from the mid 90s...

    "Packet round trip time (RTT) profiling"
    Explanation: This is useful if you're trying to see if there's any time based elements to see if you're talking to a firewall or directly to the host. Righteous.

    "Absolutely spoof proof"
    Explanation: "We can't be spoofed because we make our own packets!" What about man in the middle attacks guys? Are you talking IPv6 or over an encrypted tunnel? No? Oops, you can be spoofed.

    Anybody remember the FreeVeracity BS from a few weeks back? I smell repeat! There's no magic here, other than the fact that this got posted to Slashdot at all.

  • its nmap with a price tag!
  • by Anonymous Coward
    you are such a tool -- you replied to your own message endorsing your own site. how pathetic.
  • by steveha ( 103154 ) on Friday September 29, 2000 @09:31AM (#744438) Homepage
    I don't understand why people are making so many bitter and sarcastic comments about this. This is Steve Gibson being Steve Gibson, and it isn't any big deal.

    Why is it only for Windows? Because Steve Gibson wrote it. He likes to write "hand-crafted" assembly language, for x86 platforms. So he wrote it for Windows.

    Maybe it reads like a press release. But don't forget... when he finally has something to release, he is going to give it away free (like beer). He isn't spamming this page out by email, he isn't trying to trick anyone out of their money, so why are people so worked up?

    He wrote, and gave away, a cool utility [grc.com] for Zip disk owners. He also wrote and gave away some other stuff, and let's not forget how cool his Shields Up! page has always been.

    Even if we moderate his latest web page (-1, marketdroid-speak) he has plenty of karma left over.


  • Isn't that the packet that made the Kessel Run in under 12 parsecs?
  • Yes, but not steriods. This has clearly been injected with crack.
  • i'm trying to read those packets... why in the world is he coding left-to-right-top-to-bottom nibbles... anyone got some hex from those packets? (only one reason i can think of that he's coding them that way)
  • by jehreg ( 120485 )
    Market speak for : I created an IP packet with nothing after it. Any firewall worth its salt will prevent this packet from flowing, especially an application-level gateway.

    Maybe Windows has a specific exploit where a naked IP packet will be blindly forwarded or responded to. That would explain the Windows-only support of this. If this is the case, then as soon as Windows fixes that bug, byebye Nanoprobe usefulness.

    It is easy to create this "Super firewall", and "super server" if you re-write IP and TCP... Look, I can ignore all packets that do not match my format, and therefore be immune to DoS attacks! Oh wait, I seem to be getting a huge amount of valid packets... damn....

    What drivel...

  • by Ledge Kindred ( 82988 ) on Friday September 29, 2000 @07:32AM (#744444)
    "By utilizing specially hand-crafted phrases, I can get my marketing baloney past the engineers in your corporation who actually know anything and slip these content-free fluff pages right through your middle management directly to the top level of PHB's, who of course will, when they realize the incredible quantity of technological gibberish and understand the amazing new level of buzzword-compatibility these hand-crafted phrases exhibit, want to give me bundles and bundles of money for a product that does essentially what 'nmap' already does and has done for many many years. Only mine only works under Windows, is all made out of hand-crafted bits-n-bytes (none of those 'compiled' bits-n-bytes for me!) and has an eight-hundred page manual that's so confusing that hopefully those PHB's will never figure out enough about my software to realize it doesn't really do anything new or unique or possibly even useful."

    What crap.


  • by andyh1978 ( 173377 ) on Friday September 29, 2000 @07:33AM (#744445) Homepage
    These 'nanoprobes' are just minimalist valid packets, headers with zero data.

    The page is full of anthropomorphism and redundant quasi-technical terms just thrown in to make it look impressive. When you actually look for some hard facts, they're fairly lacking.

    So what that they're less than half the size of the ping packets produced by MS ping, which always sends 32 bytes of data. Can we say ping -s 1 host? Sends 232-bit packets (224 header + 8 bits data). (It gets 9-byte replies = 224 + 9*8 = 296-bit replies... still not far off the 224-bit of the minimalist packets).

    There's no actual evidence presented that the lack of data in the packet causes them to be processed in such a radically different way as is suggested, bypassing any and all firewalls, NAT and proxies.

    Looks like sensationalist hype so far. They may have some use in highlighting exception cases in software (who'd expect zero length data anyway), and his customised TCP/IP suite will probably just be used to send more pings per second.
  • by dbarclay10 ( 70443 ) on Friday September 29, 2000 @07:34AM (#744447)
    You know how he gets past the NAT/firewall? A *client-side program*. He's just sending packets to that program that the user installed, and the program is getting the data, and sending it back out. He's not "bypassing" the firewall, he's written a bloody server so he can read people's machine's information. Good lord, that's an ugly hack if I've ever seend one.

    'Round the firewall,
    Out the modem,
    Through the router,
    Down the wire,

Houston, Tranquillity Base here. The Eagle has landed. -- Neil Armstrong