Bugtraq mailing list archives
Re: unused bit attack alert
From: vision () WHITEHATS COM (Max Vision)
Date: Wed, 23 Feb 2000 05:52:27 -0800
At 05:15 PM 2/22/2000 -0500, Mullen, Patrick wrote:
From the Snort Portscan module(http://www.clark.net/~roesch/security.html) spp_portscan.c: /* Strip off the reserved bits for the testing, but flag that a scan is being done. */ th_flags_cleaned = th_flags & ~(R_RES1 | R_RES2); if(th_flags != th_flags_cleaned) { scan = sRESERVEDBITS; }
You might want to strip R_URG as well, since per RFC 793 you can set the URG flag on packets with minimal effect to state. For example, I can perform a SYN+URG scan just as well as a SYN scan. I'm sure several portscan detectors can be fooled with this per the explanation seen earlier on Bugtraq. tcpdump of my example SYN+URG scan: me.23 > him.www: S 1087172887:1087172887(0) win 512 urg 0 [tos 0x10] him.www > me.23: S 239306172:239306172(0) ack 1087172888 win 16384 <mss 512> me.23 > him.www: R 1087172888:1087172888(0) win 0 [tos 0x10] or the more illustrative view with snort: 02/23-04:41:33.193468 me:23 -> him:80 TCP TTL:64 TOS:0x10 ID:1396 **S****U Seq: 0x7FC28B3A Ack: 0x0 Win: 0x200 02/23-04:41:33.487261 him:80 -> me:23 TCP TTL:54 TOS:0x0 ID:64782 **S***A* Seq: 0xF1D8AD3 Ack: 0x7FC28B3B Win: 0x4000 TCP Options => MSS: 512 00 00 .. An interesting IDS testing tool might be to write a fragrouter-like tcp proxy that would set the URG bit on each packet. I'm speculating that this would result in a valid exchange that would subvert certain common IDS. Max -- Max Vision Network Security <vision () whitehats com> Network Security Assessment http://maxvision.net/ 100% Success Rate : Penetration Testing & Risk Mitigation Free Visibility Analysis and Price Quote for Your Network
Current thread:
- Re: unused bit attack alert Vern Paxson (Feb 21)
- Microsoft Security Bulletin (MS00-012) Microsoft Product Security (Feb 22)
- redhat 6.0: single user boot security hole Darren Reed (Feb 22)
- Re: unused bit attack alert antirez (Feb 23)
- Multiple vulnerabilities with Outblaze-based e-mail providers .sozni (Feb 23)
- SANE 2000 program details and registration - May 22-25, 2000 Fred Donck (Feb 25)
- DoSing the Netgear ISDN RT34x router. Swift Griggs (Feb 25)
- Re: DoSing the Netgear ISDN RT34x router. Mike Wade (Feb 25)
- <Possible follow-ups>
- Re: unused bit attack alert Mullen, Patrick (Feb 22)
- Re: unused bit attack alert Max Vision (Feb 23)
- Re: unused bit attack alert Max Vision (Feb 24)