> > In message <201803212204.w2lm4g8h023...@pdx.rh.cn85.dnsmgr.net>, > "Rodney W. Grimes" <freebsd-...@pdx.rh.cn85.dnsmgr.net> wrote: > > >One thing you could look at is the OS finger printing of nmap, > >that could look for possible things to diffentiate the hosts. > > Yea, that idea occurred to me. But this solution has the same problem > that I just mentioned in another one of my replies in this thread: > Even if nmap says that two IP addresses have the exact same OS > signature, that is far from enough to assert that they are both > under the control of the exact same Bad Actor.
You are not going to prove the "control of the exact same Bad Actor" without a warrant to search and seize. You might prove they are 2 different boxes if the nmap finger print shows a difference, but if they show identical you have proved nothing. > You certainly wouldn't want to send someone to prison, or even to > after-school detention, based on such limited circumstantial evidence. > > >Depending on just what the host is there could be other tale > >tale signs picked up from "forensic" type of data captured > >with tcpdump while playing known packet sequences against > >each host at identical time. > > Such as? > > I'm all ears. At this point I have to state I am not going to do your research work for free. I have given you plenty of free leads to persue. > >What you ask I believe could be done, but it non trivial and > >would require a very good understanding of both forensics > >and the differing ways that TCP/IP is implemented. > > I like to think that I am a quick learner. Please proceed with the > lesson. The rates for lessons in Forensics start at reasonable enough amounts, you can contact me off list if you wish to persue that. ... rest deleted ... -- Rod Grimes rgri...@freebsd.org _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
