ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt

Firewalls, packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. We define a security flag in the IPv4 header as a means of distinguishing the two cases.

Firewalls [CBR03], packet filters, intrusion detection systems, and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. The problem is that making such determinations is hard. To solve this problem, we define a security flag, known as the "evil" bit, in the IPv4 [RFC791] header. Benign packets have this bit set to 0; those that are used for an attack will have the bit set to 1. Great idea huh?

This doesn't make much sense to me, especially in how the bit is set. First off the RFC says that the "evil" application would request that the "evil" bit be set by the API. Now why would anyone write a program that is essentially ineffective.

Some applications hand-craft their own packets. If these packets are part of an attack, the application MUST set the evil bit by itself.

lol. That's like saying "I am going to write a word processor that doesn't allow words, it will only allow numbers".

hmm is that RFC like a big joke or something? Because I can't see how any of that would work.

April Fools' :)

Oh, yes, I was just playing along :D

100 POSTS weeee!