Re: unused bit attack alert

Jochen Bauer Tue, 22 Feb 2000 18:23:59 -0800
On Mon, Feb 21, 2000 at 07:43:54AM -0800, LigerTeam wrote:
[...]
> In fact, TCP header is 6 kinds  of
> tcp  flag (SYN, ACK,  PSH, RST, FIN,  URG).
> 
> problem is the flag value in TCP header
> approaches to 1byte variable of u_char type.
> ex)see tcp.h file
> 
> The flag value Each  one correspond to 1 bit,
> but it have unused 2 bit.
> 
> |unused|unused|URG|ACK|PSH|RST|SYN|FIN|
> 
> Understanding of the very problem is simple.
> Let's compare the two codes.
> ex)SYN Scan detecter program several code type
> 
>  i) if ( flag == TH_SYN )
> 
>  ii) if ( flag & TH_SYN )
> 
> (TH_SYN->SYN flag)
> 
> The i) code is true, only  when the syn
> flag bit  is set at 1.
> 
> So  the flag value is 0x2,
> and |0|0|0|0|0|0|1|0| in bit.
> 
>  The next ii) code is true, only
>  when SYN flag bit, the TH_SYN value
>  in flags, is set at 1, and the other
>  bit state is not influential.
> 
>  Eventually, we can easily know a very
>  important thing.
> 
> If hackers use the two higher bit(unused bit)
> one or all, to set at  1,
> ii) code type has false value,
> but i) code type last true value.
> and hackers avoid scan detecter
[...] 
> Conclusion:
> 
> When the flags variable in tcp header is adjusted
> totally with given value,
> higher two bit(unused bit) must be cleared
> and set at 0.
[...]

This is a known issue; it's in the category of "invalid TCP flags 
scanning". In fact, the two unused bits in the TCP flags byte can 
be used for TCP fingerprinting as the response to such TCP packets 
is not specified in RFC 793 and therefore depends on the TCP/IP 
implementation being used. In addition to TCP fingerprinting, TCP 
packets with certain invalid (i.e. not covered by RFC 793) flag
combinations not including the SYN flag can be used to determine 
which ports are open on the target machine.

This leads one to the conclusion that focussing on TCP packets with 
the SYN flag set is completely insufficient for scan detection. Any 
decent scan detector must, among other things, pay explicit 
attention to those 2 unused bits in the TCP flags byte anyway.

--
Jochen Bauer

Security Team (RUS-CERT)                                              
Computer Center of the University of Stuttgart                        
Germany
                                                               
************************************************************************ 
*Email: [EMAIL PROTECTED]                              *
*       [EMAIL PROTECTED]                              *
*                                                                      *
*PGP Public Key:                                                       *
*http://ca.uni-stuttgart.de:11371/pks/lookup?op=index&search=0xB5D92889*
************************************************************************
PGP signature
Re: unused bit attack alert

Reply via email to
