FW: [Snort-users] RE: Castor's use of "ECN" shut-off

Novak, Judy H. Judy.Novak at ...383...
Fri Sep 15 14:34:56 EDT 2000

-----Original Message-----
From: Novak, Judy H. 
Sent: Friday, September 15, 2000 2:18 PM
To: 'cider at ...242...'
Subject: RE: [Snort-users] RE: Castor's use of "ECN" shut-off

I think we're all getting confused with the way that the RFC does bit
designation.  I usually would say that bit 0 is the low-order bit and that
bit 7 is the high-order bit much as you have interpreted.  However, if you
look at the reference material (section 19)that is included at the end of
the RFC the bits are numbered as 0 is the high-order bit and 7 as the
low-order.  Hence, that is why I believe that the ECN related bits were the
0x02 and 0x01 bits.

-----Original Message-----
From: cider at ...242... [mailto:cider at ...242...]
Sent: Friday, September 15, 2000 1:58 PM
To: Novak, Judy H.
Cc: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] RE: Castor's use of "ECN" shut-off

On Fri, Sep 15, 2000 at 08:49:09AM -0400, Novak, Judy H. wrote:
] As far as the false positives for the 2 high-order TCP reserved bits due
] Explicit Congestion Notification (ECN) - looking at RFC 2481, it appears
] some validation can be done to determine if this is really ECN traffic and
] not "stealth" scanning.  In order for ECN to work, the ECN-Capable
] (ECT) bit has to be set by the sender to indicate that the endpoints are
] capable.  This bit is found in the TOS byte (0x02 bit - previously
] cost bit).  So, when a TCP reserved bit is set, this IP bit should also be
] set in order for this to be a valid ECN indication.
] Also, a couple of other conditions must exist too for this to be ECN.  The
] only time that both TCP reserved bits would be set is on the initial SYN.
] This indicates that the transport layer is ECN-capable.  After the
] handshake, the 0x40 bit should be set alone to alert the sender that
] congestion was detected, and the 0x80 bit should be set alone to inform
] receiver that the congestion window was reduced in response to the
] congestion notification.  So, these are additional conditions that could
] used to determine if the reserved bits are set because of ECN or "stealth"
] scanning.  
] Judy Novak
] Johns Hopkins University Applied Physics Lab

i think you may have incorrectly interpreted RFC-2481.  it states:

	Bits 6 and 7 in the IPv4 TOS octet are designated as the
	ECN field.  Bit 6 is designated as the ECT bit, and bit 7 is
	designated as the CE bit.

both of these bits are unused bits in current TOS implementations for
IPv4.  TOS is defined as an 8-bit field; only the first five bits have
any significance; bit 0 must be zero, bits 1-5 are used to indicate one
of the four valid TOS values, and bits 6 and 7 are undefined (except by
RFC-2481, for ECN purposes).  the correct values for these bits are 0x40
and 0x80, not 0x02.

<cider at ...242...>

More information about the Snort-users mailing list