Home page logo

bugtraq logo Bugtraq mailing list archives

Re: unused bit attack alert
From: vision () WHITEHATS COM (Max Vision)
Date: Wed, 23 Feb 2000 05:52:27 -0800

At 05:15 PM 2/22/2000 -0500, Mullen, Patrick wrote:
From the Snort Portscan module


   /* Strip off the reserved bits for the testing, but flag
      that a scan is being done.
   th_flags_cleaned = th_flags & ~(R_RES1 | R_RES2);

   if(th_flags != th_flags_cleaned)
      scan = sRESERVEDBITS;

You might want to strip R_URG as well, since per RFC 793 you can set the
URG flag on packets with minimal effect to state.

For example, I can perform a SYN+URG scan just as well as a SYN scan.  I'm
sure several portscan detectors can be fooled with this per the explanation
seen earlier on Bugtraq.

tcpdump of my example SYN+URG scan:

me.23 > him.www: S 1087172887:1087172887(0) win 512 urg 0 [tos 0x10]
him.www > me.23: S 239306172:239306172(0) ack 1087172888 win 16384 <mss 512>
me.23 > him.www: R 1087172888:1087172888(0) win 0 [tos 0x10]

or the more illustrative view with snort:

02/23-04:41:33.193468 me:23 -> him:80
TCP TTL:64 TOS:0x10 ID:1396
**S****U Seq: 0x7FC28B3A   Ack: 0x0   Win: 0x200

02/23-04:41:33.487261 him:80 -> me:23
TCP TTL:54 TOS:0x0 ID:64782
**S***A* Seq: 0xF1D8AD3   Ack: 0x7FC28B3B   Win: 0x4000
TCP Options => MSS: 512
00 00                                            ..

An interesting IDS testing tool might be to write a fragrouter-like tcp
proxy that would set the URG bit on each packet.  I'm speculating that this
would result in a valid exchange that would subvert certain common IDS.


Max Vision Network Security        <vision () whitehats com>
Network Security Assessment         http://maxvision.net/
100% Success Rate : Penetration Testing & Risk Mitigation
Free Visibility Analysis and Price Quote for Your Network

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]