unused bit attack alert <fwd>
Russell Fulton
r.fulton at auckland.ac.nz
Wed Feb 23 15:55:13 EST 2000
Appended message forwarded from Bugtraq -- apologies to those of you
who have already seen it.
Hmmm... what does argus do with these bits -- I am guessing (I have
not had a look at the source yet) that it simply ignores them. I am
wondering if there should not be another state added to the tcp state
machine model in argus -- namely ILLEGAL for packets with illegal sets
of flags set. This would include anything with the two unused bits set
and other illegal combinations.
Such packets would show up in ra as status ILL, or possibly BAD ;-)
This would be great for detecting OS fingerprinting and things like
Xmas scans.
Any thoughts ?
Russell.
--- Begin Forwarded Message ---
Date: Tue, 22 Feb 2000 11:54:09 +0100
From: Jochen Bauer <jtb at THEO2.PHYSIK.UNI-STUTTGART.DE>
Subject: Re: unused bit attack alert
Sender: owner-local-bugtraq at auckland.ac.nz
To: BUGTRAQ at SECURITYFOCUS.COM
Reply-To: Jochen Bauer <jtb at THEO2.PHYSIK.UNI-STUTTGART.DE>
Message-ID: <20000222115409.A29641 at luna.theo2.physik.uni-stuttgart.de>
On Mon, Feb 21, 2000 at 07:43:54AM -0800, LigerTeam wrote:
[...]
> In fact, TCP header is 6 kinds of
> tcp flag (SYN, ACK, PSH, RST, FIN, URG).
>
> problem is the flag value in TCP header
> approaches to 1byte variable of u_char type.
> ex)see tcp.h file
>
> The flag value Each one correspond to 1 bit,
> but it have unused 2 bit.
>
> |unused|unused|URG|ACK|PSH|RST|SYN|FIN|
>
> Understanding of the very problem is simple.
> Let's compare the two codes.
> ex)SYN Scan detecter program several code type
>
> i) if ( flag == TH_SYN )
>
> ii) if ( flag & TH_SYN )
>
> (TH_SYN->SYN flag)
>
> The i) code is true, only when the syn
> flag bit is set at 1.
>
> So the flag value is 0x2,
> and |0|0|0|0|0|0|1|0| in bit.
>
> The next ii) code is true, only
> when SYN flag bit, the TH_SYN value
> in flags, is set at 1, and the other
> bit state is not influential.
>
> Eventually, we can easily know a very
> important thing.
>
> If hackers use the two higher bit(unused bit)
> one or all, to set at 1,
> ii) code type has false value,
> but i) code type last true value.
> and hackers avoid scan detecter
[...]
> Conclusion:
>
> When the flags variable in tcp header is adjusted
> totally with given value,
> higher two bit(unused bit) must be cleared
> and set at 0.
[...]
This is a known issue; it's in the category of "invalid TCP flags
scanning". In fact, the two unused bits in the TCP flags byte can
be used for TCP fingerprinting as the response to such TCP packets
is not specified in RFC 793 and therefore depends on the TCP/IP
implementation being used. In addition to TCP fingerprinting, TCP
packets with certain invalid (i.e. not covered by RFC 793) flag
combinations not including the SYN flag can be used to determine
which ports are open on the target machine.
This leads one to the conclusion that focussing on TCP packets with
the SYN flag set is completely insufficient for scan detection. Any
decent scan detector must, among other things, pay explicit
attention to those 2 unused bits in the TCP flags byte anyway.
--
Jochen Bauer
Security Team (RUS-CERT)
Computer Center of the University of Stuttgart
Germany
************************************************************************
*Email: jtb at theo2.physik.uni-stuttgart.de *
* jochen.bauer at rus.uni-stuttgart.de *
* *
*PGP Public Key: *
*http://ca.uni-stuttgart.de:11371/pks/lookup?op=index&search=0xB5D92889*
************************************************************************
--- End Forwarded Message ---
More information about the argus
mailing list