-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Seems dubious. So I'm not not sure what sets the codepoint to 000001 by default, but apparently CodeRed does? Nevertheless, this seems like a very weak basis for determining whether something is malicious.
There is an elegant solution; administrators should set the evil bit on any malicious packets seeking egress; http://www.faqs.org/rfcs/rfc3514.html Quoting: 0x0 If the bit is set to 0, the packet has no evil intent. Hosts, network elements, etc., SHOULD assume that the packet is harmless, and SHOULD NOT take any defensive measures. (We note that this part of the spec is already implemented by many common desktop operating systems.) 0x1 If the bit is set to 1, the packet has evil intent. Secure systems SHOULD try to defend themselves against such packets. Insecure systems MAY chose to crash, be penetrated, etc. And now for something completely different... - -- The whole point of the Internet is that different kinds of computers can interoperate. Every time you see a web site that only supports certain browsers or operating systems, they clearly don't get it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFAI/WPlSPhv5tocwRAnhrAJ40WgDRn+9fSPXa5U4qZGRRGRbjowCfbBxI AaDLCfYgGF1MjcieyDvuuME= =pibC -----END PGP SIGNATURE-----