[Snort-users] [bgallia at ...442...: Castor's use of "ECN" shut-off]

Martin Roesch roesch at ...421...
Tue Sep 12 22:10:08 EDT 2000


Wow, that's interesting.  Looks like we may need to implement some sort of
switch in Snort down the road to allow for this behavior....

    -Marty


Phil Wood wrote:
> 
> Folks, the included message explains why I was getting some alerts from
> portscan due to RESERVEDBITS set:
> 
> Sep 8 00:19:40 x.x.x.x:1760 -> y.y.y.y:80 SYN 21S***** RESERVEDBITS
> 
> I had read the source for tcpdump and found reference to RFC2481 which
> mentioned the reserved bits.  But, I didn't know it was in "production" use.
> 
> So, should one ignore these, at least at the "email/paging" level?
> 
> Thanks,
> 
> --
> Phil Wood, cpw at ...440...
> 
>   ------------------------------------------------------------------------------
> 
> Subject: Castor's use of "ECN" shut-off
> Date: Mon, 11 Sep 2000 17:16:14 -0500 (CDT)
> From: "B. Galliart" <bgallia at ...442...>
> To: "Hammerle, Tye F." <Tye.F.Hammerle at ...443...>
> CC: Phil Wood <cpw at ...440...>, bmontes at ...444...,
>      Richard Riehle <rriehle at ...442...>
> 
> This is the results of my research into the unusual behavior of Castor:
> 
> Last week, as a work-around to problems with the Loyola network, we
> upgraded Castor (one of our mail servers) to Linux kernel version
> 2.4.0-test7.  This kernel, by default, includes an implimentation of ECN
> (Explicit Congestion Notification), also known as RFC 2481 [1].  ECN is
> also promoted by Cisco in their _Internet_Protocol_Journal_ as a method of
> improving TCP performance [2].  However, some IDS and firewall systems
> appear to expect strict adherence to RFC 793 [3] which state that the bits
> used for ECN "must be zero" (since they where reserved for future
> use).  Among these products includes Cisco's own PIX firewall and while
> Cisco's IPJ promotes the support of ECN, there is nothing in release notes
> for PIX IOS 5.1 or IOS 5.2 that indicate that Cisco itself is supporting
> ECN.  The maintainers of the Linux kernel seem to be aware of the problem
> and discussion has already been underway on the kernel developer's mailing
> list [6].  In the mean time, support of ECN/RFC 2481 will remain turned
> off on Castor.  Also, there is no reason at this time to believe that
> someone comprised the administrative access needed to forge their own
> non-standard TCP header from Castor.
> 
> Ben Galliart
> Information Technologies
> Loyola University Chicago
> 
> References:
> [1] http://www.faqs.org/rfcs/rfc2481.html
> [2] http://www.cisco.com/warp/public/759/ipj_3-2/ipj_3-2_tcp.html
> [3] http://www.faqs.org/rfcs/rfc793.html
> [4] http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v51/pixrn512.htm
> [5] http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/pixrn521.htm#xtocid133580
> [6] http://www.uwsg.indiana.edu/hypermail/linux/kernel/0009.1/index.html

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list