unused bit attack alert <fwd>

Russell Fulton r.fulton at auckland.ac.nz
Wed Feb 23 15:55:13 EST 2000

Appended message forwarded from Bugtraq -- apologies to those of you 
who have already seen it.

Hmmm...  what does argus do with these bits -- I am guessing (I have 
not had a look at the source yet) that it simply ignores them.  I am 
wondering if there should not be another state added to the tcp state 
machine model in argus -- namely ILLEGAL for packets with illegal sets 
of flags set.  This would include anything with the two unused bits set 
and other illegal combinations.

Such packets would show up in ra as status ILL, or possibly BAD ;-)
This would be great for detecting OS fingerprinting and things like 
Xmas scans.

Any thoughts ?


--- Begin Forwarded Message ---
Date: Tue, 22 Feb 2000 11:54:09 +0100
From: Jochen Bauer <jtb at THEO2.PHYSIK.UNI-STUTTGART.DE>
Subject: Re: unused bit attack alert
Sender: owner-local-bugtraq at auckland.ac.nz

Reply-To: Jochen Bauer <jtb at THEO2.PHYSIK.UNI-STUTTGART.DE>
Message-ID: <20000222115409.A29641 at luna.theo2.physik.uni-stuttgart.de>

On Mon, Feb 21, 2000 at 07:43:54AM -0800, LigerTeam wrote:
> In fact, TCP header is 6 kinds  of
> tcp  flag (SYN, ACK,  PSH, RST, FIN,  URG).
> problem is the flag value in TCP header
> approaches to 1byte variable of u_char type.
> ex)see tcp.h file
> The flag value Each  one correspond to 1 bit,
> but it have unused 2 bit.
> |unused|unused|URG|ACK|PSH|RST|SYN|FIN|
> Understanding of the very problem is simple.
> Let's compare the two codes.
> ex)SYN Scan detecter program several code type
>  i) if ( flag == TH_SYN )
>  ii) if ( flag & TH_SYN )
> (TH_SYN->SYN flag)
> The i) code is true, only  when the syn
> flag bit  is set at 1.
> So  the flag value is 0x2,
> and |0|0|0|0|0|0|1|0| in bit.
>  The next ii) code is true, only
>  when SYN flag bit, the TH_SYN value
>  in flags, is set at 1, and the other
>  bit state is not influential.
>  Eventually, we can easily know a very
>  important thing.
> If hackers use the two higher bit(unused bit)
> one or all, to set at  1,
> ii) code type has false value,
> but i) code type last true value.
> and hackers avoid scan detecter
> Conclusion:
> When the flags variable in tcp header is adjusted
> totally with given value,
> higher two bit(unused bit) must be cleared
> and set at 0.

This is a known issue; it's in the category of "invalid TCP flags 
scanning". In fact, the two unused bits in the TCP flags byte can 
be used for TCP fingerprinting as the response to such TCP packets 
is not specified in RFC 793 and therefore depends on the TCP/IP 
implementation being used. In addition to TCP fingerprinting, TCP 
packets with certain invalid (i.e. not covered by RFC 793) flag
combinations not including the SYN flag can be used to determine 
which ports are open on the target machine.

This leads one to the conclusion that focussing on TCP packets with 
the SYN flag set is completely insufficient for scan detection. Any 
decent scan detector must, among other things, pay explicit 
attention to those 2 unused bits in the TCP flags byte anyway.

Jochen Bauer

Security Team (RUS-CERT)                                              
Computer Center of the University of Stuttgart                        
*Email: jtb at theo2.physik.uni-stuttgart.de                              *
*       jochen.bauer at rus.uni-stuttgart.de                              *
*                                                                      *
*PGP Public Key:                                                       *

--- End Forwarded Message ---

More information about the argus mailing list