My guess is that since the packet is officially reserved and should not be set, a common firewall or other security appliance considers said packets to be malformed and drops them as a default behavior.
> So now we know that sites target this bit to block, but the real question is why? Is it that someone didn’t see the date of the RFC, maybe sarcasm doesn’t translate very well, possibly someone in the real world actually sent the evil bit when doing evil things, and cause some products to target it?
The evil bit could be something of a self-fulfilling prophecy. Because no one uses it, that makes it a source of bugs/vulnerabilities; therefore, anyone setting it deliberately but not maliciously (such as for a joke) will want to turn it off; only those who want to exploit it maliciously will keep it turned on; hence, anything with an evil bit can be safely assumed to be, in fact, evil, and it should be filtered out automatically.
If you're a firewall vendor, it seems like a no-lose situation to drop packets with the evil bit. Either someone's experimenting like in this blog post, and you look cool because you implemented an April Fool's RFC, or someone is actually sending malicious packets, and you look like a competent firewall. Imagine if you didn't drop the packets with the evil bit, and a hacker thinks it's funny to add the bit to their packets while they're exploiting some unrelated vulnerability in your software. The post-mortems and exploit writeups would make you look incompetent - "this firewall vendor can't even stop packets that announce their evil intentions!"
> Packets with the evil bit off MUST NOT be dropped.
That seems to be at odds with standard firewall operation, that may choose to drop packets because of all sorts of reasons unrelated to the "Evil bit". This would seem to constrain their operations unnecessarily, and so I would say that it is in the best interest of security vendors to ignore most of this RFC as frivolous and not binding.
No, no, that's the whole point - assuming standards-compliant users and attackers who follow this RFC, this simplifies firewall operation so that all packets with the evil bit off are not evil and can safely be forwarded, as any malicious traffic without the evil bit is simply noncompliant and should not be there, so any consequences of that are the fault of the noncompliant device (i.e. the attacker) as the firewall is operating properly according to the requirements.
The purpose of the RFC is to simplify security on the Internet, make such decisions transparent, and to preserve clear separation of concerns between the layers. As such, the evil bit is supposed to be the only thing that a conforming device checks.
Otherwise, we're back to square 1, where you don't know what caused your packets to be dropped even though they are clearly and explicitly not evil!
> After doing scans if I could connect to port 80 from a PC that had no evil bit kernel, and a normal one on the same network, I found the following list of domains that only failed on my evil bit computer
This seems to be the comparison between a totally regular device and one with the evil bit set, he doesn't mention a device having any other private bits besides the evil bit set.
I am 100% sure that it was in the article that he listed the sites which only failed on the evil bit, and not on other reserved bits. I've read it 4 times again, and it is not there now. Strange.
That seems crazy. When a new spec comes out and a previously reserved bit starts meaning something, you really don’t want old software to just drop packets as malformed. Reserved means ignore, not an assertion that it must be zero.
