unused bit attack alert <fwd>

Carter Bullard cbullard at nortelnetworks.com
Mon Mar 6 13:03:18 EST 2000


Hey Russell et.al,
   Argus doesn't do anything with these bits, but these
bits are already in use as experimental bits for Explicit
Congestion Notification (ECN) and some other experimental
IETF TCP thing that I've already forgotten about.
Tracking these experimental bits is of course, a great
idea.

   There aren't too many illegal TCP bit combinations,
and this logic would be very useful, however, the Argus
reporting strategy is to have a status bit to report
each explicit condition.  Each detected combination would
require a bit in a status field somewhere, and we don't
really have any status bits to spare in the 1.x version
of Argus.

   As a result, I am starting to think a lot about
Argus 2.0, which will have a completely new Argus record
format.  I am working on the basics right now.
I would like to stay with fixed length records, and 128 - 192
byte fixed length binary records are looking very attractive
to me.  An alternative would be for Argus to output XML
formated data, but I would rather have Argus put out binary,
and have converters/translators that would generate XML
as an example.

   I would love to hear what you guys would like to see
in Argus 2.0.  My list is focused on performance metrics,
but enhanced TCP state metrics are things that would be
more than reasonable.  Any ideas????

Best Regards,

Carter

    

> -----Original Message-----
> From: Russell Fulton [mailto:r.fulton at auckland.ac.nz]
> Sent: Wednesday, February 23, 2000 3:55 PM
> To: argus at lists.andrew.cmu.edu
> Subject: Re: unused bit attack alert <fwd>
> 
> 
> Appended message forwarded from Bugtraq -- apologies to those of you 
> who have already seen it.
> 
> Hmmm...  what does argus do with these bits -- I am guessing (I have 
> not had a look at the source yet) that it simply ignores them.  I am 
> wondering if there should not be another state added to the tcp state 
> machine model in argus -- namely ILLEGAL for packets with 
> illegal sets 
> of flags set.  This would include anything with the two 
> unused bits set 
> and other illegal combinations.
> 
> Such packets would show up in ra as status ILL, or possibly BAD ;-)
> This would be great for detecting OS fingerprinting and things like 
> Xmas scans.
> 
> Any thoughts ?
> 
> Russell.
> 
> 
> --- Begin Forwarded Message ---
> Date: Tue, 22 Feb 2000 11:54:09 +0100
> From: Jochen Bauer <jtb at THEO2.PHYSIK.UNI-STUTTGART.DE>
> Subject: Re: unused bit attack alert
> Sender: owner-local-bugtraq at auckland.ac.nz
> To: BUGTRAQ at SECURITYFOCUS.COM
> 
> Reply-To: Jochen Bauer <jtb at THEO2.PHYSIK.UNI-STUTTGART.DE>
> Message-ID: <20000222115409.A29641 at luna.theo2.physik.uni-stuttgart.de>
> 
> 
> On Mon, Feb 21, 2000 at 07:43:54AM -0800, LigerTeam wrote:
> [...]
> > In fact, TCP header is 6 kinds  of
> > tcp  flag (SYN, ACK,  PSH, RST, FIN,  URG).
> > 
> > problem is the flag value in TCP header
> > approaches to 1byte variable of u_char type.
> > ex)see tcp.h file
> > 
> > The flag value Each  one correspond to 1 bit,
> > but it have unused 2 bit.
> > 
> > |unused|unused|URG|ACK|PSH|RST|SYN|FIN|
> > 
> > Understanding of the very problem is simple.
> > Let's compare the two codes.
> > ex)SYN Scan detecter program several code type
> > 
> >  i) if ( flag == TH_SYN )
> > 
> >  ii) if ( flag & TH_SYN )
> > 
> > (TH_SYN->SYN flag)
> > 
> > The i) code is true, only  when the syn
> > flag bit  is set at 1.
> > 
> > So  the flag value is 0x2,
> > and |0|0|0|0|0|0|1|0| in bit.
> > 
> >  The next ii) code is true, only
> >  when SYN flag bit, the TH_SYN value
> >  in flags, is set at 1, and the other
> >  bit state is not influential.
> > 
> >  Eventually, we can easily know a very
> >  important thing.
> > 
> > If hackers use the two higher bit(unused bit)
> > one or all, to set at  1,
> > ii) code type has false value,
> > but i) code type last true value.
> > and hackers avoid scan detecter
> [...] 
> > Conclusion:
> > 
> > When the flags variable in tcp header is adjusted
> > totally with given value,
> > higher two bit(unused bit) must be cleared
> > and set at 0.
> [...]
> 
> This is a known issue; it's in the category of "invalid TCP flags 
> scanning". In fact, the two unused bits in the TCP flags byte can 
> be used for TCP fingerprinting as the response to such TCP packets 
> is not specified in RFC 793 and therefore depends on the TCP/IP 
> implementation being used. In addition to TCP fingerprinting, TCP 
> packets with certain invalid (i.e. not covered by RFC 793) flag
> combinations not including the SYN flag can be used to determine 
> which ports are open on the target machine.
> 
> This leads one to the conclusion that focussing on TCP packets with 
> the SYN flag set is completely insufficient for scan detection. Any 
> decent scan detector must, among other things, pay explicit 
> attention to those 2 unused bits in the TCP flags byte anyway.
> 
> --
> Jochen Bauer
> 
> Security Team (RUS-CERT)                                              
> Computer Center of the University of Stuttgart                        
> Germany
>                                                                
> **************************************************************
> ********** 
> *Email: jtb at theo2.physik.uni-stuttgart.de                     
>          *
> *       jochen.bauer at rus.uni-stuttgart.de                     
>          *
> *                                                             
>          *
> *PGP Public Key:                                              
>          *
> *http://ca.uni-stuttgart.de:11371/pks/lookup?op=index&search=0
> xB5D92889*
> **************************************************************
> ********** 
> 
> --- End Forwarded Message ---
> 
> 
> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20000306/743e7443/attachment.html>


More information about the argus mailing list