[14000] in bugtraq
Re: unused bit attack alert
daemon@ATHENA.MIT.EDU (Max Vision)
Thu Feb 24 14:17:10 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Enip.BSO.23.0002240337380.26970-100000@www.whitehats.com>
Date: Thu, 24 Feb 2000 04:28:46 -0800
Reply-To: Max Vision <vision@WHITEHATS.COM>
From: Max Vision <vision@WHITEHATS.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <4.3.2.20000223032902.02685ef8@localhost>
This is true of PSH as well. I had actually meant to respond regarding
the PSH flag (SYN+PSH scans are perfectly workable), but had looked at URG
first when writing my response and somehow accidentally omited mention of
PSH. (Thanks Patrick for reminding me of what I said a few months ago
about PSH)
I inadvertently ended up repeating what Vern Paxson had posted just days
earlier with regard to adding ligitmate flags to traffic:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=200002212236.OAA01744@daffy.ee.lbl.gov
To summarize, it looks like in most cases PSH, URG, or the two reserved
bits can be set in packets without affecting their function. Portscan
detectors and IDS should take this into account by masking to the value
being tested.
Has anyone already researched how various IP stacks deal with these
"extra" flags in otherwise normal traffic - aside from my very limited
portscan tests?
On Wed, 23 Feb 2000, Max Vision wrote:
> You might want to strip R_URG as well, since per RFC 793 you can set the
> URG flag on packets with minimal effect to state.
>
...
>
> Max
>
> --
> Max Vision Network Security <vision@whitehats.com>
> Network Security Assessment http://maxvision.net/
> 100% Success Rate : Penetration Testing & Risk Mitigation
> Free Visibility Analysis and Price Quote for Your Network
>
