Bugtraq mailing list archives
Re: unused bit attack alert
From: vision () WHITEHATS COM (Max Vision)
Date: Thu, 24 Feb 2000 04:28:46 -0800
This is true of PSH as well. I had actually meant to respond regarding the PSH flag (SYN+PSH scans are perfectly workable), but had looked at URG first when writing my response and somehow accidentally omited mention of PSH. (Thanks Patrick for reminding me of what I said a few months ago about PSH) I inadvertently ended up repeating what Vern Paxson had posted just days earlier with regard to adding ligitmate flags to traffic: 200002212236.OAA01744 () daffy ee lbl gov">http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=200002212236.OAA01744 () daffy ee lbl gov</A> To summarize, it looks like in most cases PSH, URG, or the two reserved bits can be set in packets without affecting their function. Portscan detectors and IDS should take this into account by masking to the value being tested. Has anyone already researched how various IP stacks deal with these "extra" flags in otherwise normal traffic - aside from my very limited portscan tests? On Wed, 23 Feb 2000, Max Vision wrote:
You might want to strip R_URG as well, since per RFC 793 you can set the URG flag on packets with minimal effect to state.
...
Max -- Max Vision Network Security <vision () whitehats com> Network Security Assessment http://maxvision.net/ 100% Success Rate : Penetration Testing & Risk Mitigation Free Visibility Analysis and Price Quote for Your Network
Current thread:
- Re: unused bit attack alert Vern Paxson (Feb 21)
- Microsoft Security Bulletin (MS00-012) Microsoft Product Security (Feb 22)
- redhat 6.0: single user boot security hole Darren Reed (Feb 22)
- Re: unused bit attack alert antirez (Feb 23)
- Multiple vulnerabilities with Outblaze-based e-mail providers .sozni (Feb 23)
- SANE 2000 program details and registration - May 22-25, 2000 Fred Donck (Feb 25)
- DoSing the Netgear ISDN RT34x router. Swift Griggs (Feb 25)
- Re: DoSing the Netgear ISDN RT34x router. Mike Wade (Feb 25)
- <Possible follow-ups>
- Re: unused bit attack alert Mullen, Patrick (Feb 22)
- Re: unused bit attack alert Max Vision (Feb 23)
- Re: unused bit attack alert Max Vision (Feb 24)