[Snort-devel] Evading Snort via splitting ACKs
David J. Bianco
bianco at ...1589...
Mon Sep 23 13:16:04 EDT 2002
On Mon, 2002-09-23 at 14:46, Phil Wood wrote:
> I do believe that you can formulate a packet that looks like tcp with
> the exception of an ack bit, and has as much data you can cram in to
> it or multiple fragments, up to 65,635 octets. Also, a rule that
> expects the ack bit will no be exercised under those conditions.
> However, a tcp implimentation that doesn't drop the segment and silently
> return to await a properly formed tcp packet is a broken implimentation.
> Or, I don't understand RFC 793 all that well.
I think you do understand RFC 793, but not all TCP implementors did. My
informal testing has shown that Microsoft's TCP (at least in NT4, the
box I tested against) correctly failed to reply to my query. But all
Linux boxes processed it just fine. I haven't tried Sun or HP yet,
or newer versions of Windows.
I just rechecked RFC 793, and it confirms that the ACK flag isn't really
optional on an established connection, though I'd like to see what the
Stevens book has to say on the subject when I get home.
David J. Bianco, GSEC <bianco at ...1589...>
Thomas Jefferson National Accelerator Facility
GPG Fingerprint: 516A B80D AAB3 1617 A340 227A 723B BFBE B395 33BA
The views expressed herein are solely those of the author and
not those of SURA/Jefferson Lab or the US DOE.
More information about the Snort-devel