Security Incidents mailing list archives
[Snort-users] [bgallia () orion it luc edu: Castor's use of "ECN" shut-off] (fwd)
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Tue, 12 Sep 2000 12:23:39 -0700
This was news to me, so I figured other folks here might not know about it, and be interested. Ryan ---------- Forwarded message ---------- Date: Tue, 12 Sep 2000 09:30:14 -0600 From: Phil Wood <cpw () lanl gov> To: snort-users () lists sourceforge net Cc: rwc () lanl gov Subject: [Snort-users] [bgallia () orion it luc edu: Castor's use of "ECN" shut-off] Folks, the included message explains why I was getting some alerts from portscan due to RESERVEDBITS set: Sep 8 00:19:40 x.x.x.x:1760 -> y.y.y.y:80 SYN 21S***** RESERVEDBITS I had read the source for tcpdump and found reference to RFC2481 which mentioned the reserved bits. But, I didn't know it was in "production" use. So, should one ignore these, at least at the "email/paging" level? Thanks, -- Phil Wood, cpw () lanl gov
--- Begin Message --- From: "B. Galliart" <bgallia () orion it luc edu>
Date: Mon, 11 Sep 2000 17:16:14 -0500 (CDT)
This is the results of my research into the unusual behavior of Castor: Last week, as a work-around to problems with the Loyola network, we upgraded Castor (one of our mail servers) to Linux kernel version 2.4.0-test7. This kernel, by default, includes an implimentation of ECN (Explicit Congestion Notification), also known as RFC 2481 [1]. ECN is also promoted by Cisco in their _Internet_Protocol_Journal_ as a method of improving TCP performance [2]. However, some IDS and firewall systems appear to expect strict adherence to RFC 793 [3] which state that the bits used for ECN "must be zero" (since they where reserved for future use). Among these products includes Cisco's own PIX firewall and while Cisco's IPJ promotes the support of ECN, there is nothing in release notes for PIX IOS 5.1 or IOS 5.2 that indicate that Cisco itself is supporting ECN. The maintainers of the Linux kernel seem to be aware of the problem and discussion has already been underway on the kernel developer's mailing list [6]. In the mean time, support of ECN/RFC 2481 will remain turned off on Castor. Also, there is no reason at this time to believe that someone comprised the administrative access needed to forge their own non-standard TCP header from Castor. Ben Galliart Information Technologies Loyola University Chicago References: [1] http://www.faqs.org/rfcs/rfc2481.html [2] http://www.cisco.com/warp/public/759/ipj_3-2/ipj_3-2_tcp.html [3] http://www.faqs.org/rfcs/rfc793.html [4] http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/pixrn512.htm [5] http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/pixrn521.htm#xtocid133580 [6] http://www.uwsg.indiana.edu/hypermail/linux/kernel/0009.1/index.html
--- End Message ---
Current thread:
- [Snort-users] [bgallia () orion it luc edu: Castor's use of "ECN" shut-off] (fwd) Ryan Russell (Sep 12)