[Snort-devel] Evading Snort via splitting ACKs

David J. Bianco bianco at ...1589...
Mon Sep 23 13:16:04 EDT 2002

On Mon, 2002-09-23 at 14:46, Phil Wood wrote:
> I do believe that you can formulate a packet that looks like tcp with
> the exception of an ack bit, and has as much data you can cram in to
> it or multiple fragments, up to 65,635 octets.  Also, a rule that
> expects the ack bit will no be exercised under those conditions.
> However, a tcp implimentation that doesn't drop the segment and silently
> return to await a properly formed tcp packet is a broken implimentation.
> Or, I don't understand RFC 793 all that well.

I think you do understand RFC 793, but not all TCP implementors did.  My
informal testing has shown that Microsoft's TCP (at least in NT4, the
box I tested against) correctly failed to reply to my query.  But all 
Linux boxes processed it just fine.  I haven't tried Sun or HP yet,
or newer versions of Windows.  

I just rechecked RFC 793, and it confirms that the ACK flag isn't really
optional on an established connection, though I'd like to see what the
Stevens book has to say on the subject when I get home.


David J. Bianco, GSEC		<bianco at ...1589...>
Thomas Jefferson National Accelerator Facility
GPG Fingerprint:   516A B80D AAB3 1617 A340  227A 723B BFBE B395 33BA

     The views expressed herein are solely those of the author and
	    not those of SURA/Jefferson Lab or the US DOE.

More information about the Snort-devel mailing list