Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

[Snort-users] [bgallia () orion it luc edu: Castor's use of "ECN" shut-off] (fwd)

From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Tue, 12 Sep 2000 12:23:39 -0700
This was news to me, so I figured other folks here might not know about
it, and be interested.

                                        Ryan

---------- Forwarded message ----------
Date: Tue, 12 Sep 2000 09:30:14 -0600
From: Phil Wood <cpw () lanl gov>
To: snort-users () lists sourceforge net
Cc: rwc () lanl gov
Subject: [Snort-users] [bgallia () orion it luc edu: Castor's use of "ECN"
    shut-off]

Folks, the included message explains why I was getting some alerts from
portscan due to RESERVEDBITS set:

Sep 8 00:19:40 x.x.x.x:1760 -> y.y.y.y:80 SYN 21S***** RESERVEDBITS

I had read the source for tcpdump and found reference to RFC2481 which
mentioned the reserved bits.  But, I didn't know it was in "production" use.

So, should one ignore these, at least at the "email/paging" level?

Thanks,

--
Phil Wood, cpw () lanl gov
--- Begin Message --- From: "B. Galliart" <bgallia () orion it luc edu>
Date: Mon, 11 Sep 2000 17:16:14 -0500 (CDT)
This is the results of my research into the unusual behavior of Castor:

Last week, as a work-around to problems with the Loyola network, we
upgraded Castor (one of our mail servers) to Linux kernel version
2.4.0-test7.  This kernel, by default, includes an implimentation of ECN
(Explicit Congestion Notification), also known as RFC 2481 [1].  ECN is
also promoted by Cisco in their _Internet_Protocol_Journal_ as a method of
improving TCP performance [2].  However, some IDS and firewall systems
appear to expect strict adherence to RFC 793 [3] which state that the bits
used for ECN "must be zero" (since they where reserved for future
use).  Among these products includes Cisco's own PIX firewall and while
Cisco's IPJ promotes the support of ECN, there is nothing in release notes
for PIX IOS 5.1 or IOS 5.2 that indicate that Cisco itself is supporting
ECN.  The maintainers of the Linux kernel seem to be aware of the problem
and discussion has already been underway on the kernel developer's mailing
list [6].  In the mean time, support of ECN/RFC 2481 will remain turned
off on Castor.  Also, there is no reason at this time to believe that
someone comprised the administrative access needed to forge their own
non-standard TCP header from Castor.

Ben Galliart
Information Technologies
Loyola University Chicago

References:
[1] http://www.faqs.org/rfcs/rfc2481.html
[2] http://www.cisco.com/warp/public/759/ipj_3-2/ipj_3-2_tcp.html
[3] http://www.faqs.org/rfcs/rfc793.html
[4] http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/pixrn512.htm
[5] http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/pixrn521.htm#xtocid133580
[6] http://www.uwsg.indiana.edu/hypermail/linux/kernel/0009.1/index.html

--- End Message ---
Previous By Date Next
Previous By Thread Next

Current thread: