mailing list archives
Re: unused bit attack alert
From: vision () WHITEHATS COM (Max Vision)
Date: Wed, 23 Feb 2000 05:52:27 -0800
At 05:15 PM 2/22/2000 -0500, Mullen, Patrick wrote:
From the Snort Portscan module
/* Strip off the reserved bits for the testing, but flag
that a scan is being done.
th_flags_cleaned = th_flags & ~(R_RES1 | R_RES2);
if(th_flags != th_flags_cleaned)
scan = sRESERVEDBITS;
You might want to strip R_URG as well, since per RFC 793 you can set the
URG flag on packets with minimal effect to state.
For example, I can perform a SYN+URG scan just as well as a SYN scan. I'm
sure several portscan detectors can be fooled with this per the explanation
seen earlier on Bugtraq.
tcpdump of my example SYN+URG scan:
me.23 > him.www: S 1087172887:1087172887(0) win 512 urg 0 [tos 0x10]
him.www > me.23: S 239306172:239306172(0) ack 1087172888 win 16384 <mss 512>
me.23 > him.www: R 1087172888:1087172888(0) win 0 [tos 0x10]
or the more illustrative view with snort:
02/23-04:41:33.193468 me:23 -> him:80
TCP TTL:64 TOS:0x10 ID:1396
**S****U Seq: 0x7FC28B3A Ack: 0x0 Win: 0x200
02/23-04:41:33.487261 him:80 -> me:23
TCP TTL:54 TOS:0x0 ID:64782
**S***A* Seq: 0xF1D8AD3 Ack: 0x7FC28B3B Win: 0x4000
TCP Options => MSS: 512
00 00 ..
An interesting IDS testing tool might be to write a fragrouter-like tcp
proxy that would set the URG bit on each packet. I'm speculating that this
would result in a valid exchange that would subvert certain common IDS.
Max Vision Network Security <vision () whitehats com>
Network Security Assessment http://maxvision.net/
100% Success Rate : Penetration Testing & Risk Mitigation
Free Visibility Analysis and Price Quote for Your Network