Re: unused bit attack alert

[vision () WHITEHATS COM (Max Vision)]

This is true of PSH as well.  I had actually meant to respond regarding
the PSH flag (SYN+PSH scans are perfectly workable), but had looked at URG
first when writing my response and somehow accidentally omited mention of
PSH.  (Thanks Patrick for reminding me of what I said a few months ago
about PSH)

I inadvertently ended up repeating what Vern Paxson had posted just days
earlier with regard to adding ligitmate flags to traffic:
200002212236.OAA01744 () daffy ee lbl 
gov">http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=200002212236.OAA01744 () daffy ee 
lbl gov</A>

To summarize, it looks like in most cases PSH, URG, or the two reserved
bits can be set in packets without affecting their function.  Portscan
detectors and IDS should take this into account by masking to the value
being tested.

Has anyone already researched how various IP stacks deal with these
"extra" flags in otherwise normal traffic - aside from my very limited
portscan tests?

On Wed, 23 Feb 2000, Max Vision wrote:
> You might want to strip R_URG as well, since per RFC 793 you can set the
> URG flag on packets with minimal effect to state.
...
> Max
>
> --
> Max Vision Network Security        <vision () whitehats com>
> Network Security Assessment         http://maxvision.net/
> 100% Success Rate : Penetration Testing & Risk Mitigation
> Free Visibility Analysis and Price Quote for Your Network