[13991] in bugtraq
Re: unused bit attack alert
daemon@ATHENA.MIT.EDU (CyberPsychotic)
Wed Feb 23 15:14:34 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10002230813290.442-100000@epr0.org>
Date: Wed, 23 Feb 2000 08:34:39 +0500
Reply-To: CyberPsychotic <fygrave@EPR0.ORG>
From: CyberPsychotic <fygrave@EPR0.ORG>
X-To: LigerTeam <ligerteam@hotmail.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200002211543.HAA24775@www.geocrawler.com>
On Mon, 21 Feb 2000 out of nowhere LigerTeam spoke:
~ :The flag value Each one correspond to 1 bit,
~ :but it have unused 2 bit.
~ :
~ :|unused|unused|URG|ACK|PSH|RST|SYN|FIN|
~ :
~ :Understanding of the very problem is simple.
not new. These bits have been already used by queso fingerprints while ago
(`f' type of packet). Whether these bits are considered or ignored also
apparently depends on the tcp-stack implementation. (linux vs. MacOS f.e)
~ :When the flags variable in tcp header is adjusted
~ :totally with given value,
~ :higher two bit(unused bit) must be cleared
~ :and set at 0.
wouldn't agree. By rfc two higher bits here are considered `reserved' and
should be set to `0'. Having seen these bits being set to `1' is already a
good indication of hostile activity or broken hardware in your network, so
you should be able to spot these packets too.
--
Key fingerprint = 4422 16FC 3C7D E10A B044 CA4F 2BE0 3943 9758 9324
http://www.kalug.lug.net/fygrave/
