Detecting TCP Timestamp PAWS DoS from tracefile

["J.Smith" <lbalbalba () hotmail com>]

Hi.


At our site, we have the impression that we might have been hit by the 
following issue :

Multiple Vendor TCP Timestamp PAWS Remote Denial Of Service Vulnerability
http://www.securityfocus.com/bid/13676

TCP does not adequately validate segments before updating timestamp value
http://www.kb.cert.org/vuls/id/637934


In a nutshell, the issue manifests if an attacker transmits a sufficient TCP 
PAWS packet to a vulnerable computer. A large value is set by the attacker 
as the tcp packet timestamp. When the target computer processes this packet, 
the internal timer is updated to the large attacker supplied value. This 
causes all other valid packets that are received subsequent to an attack to 
be dropped as they are deemed to be too old, or invalid. This effectively 
'stalls' the connection, which will deny service for a target connection.

Fortunately, we have a tracefile of some of the traffic that hit our site at 
the time. I was wondering how easy it would be to 'proof' that we did indeed 
experience this issue with the use of snort ? I did a quick scan of the 
snort ruleset database, but it appears that detection of this issue is not 
included in the snort database yet ?



Thanks,


John Smith.


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users