[Snort-users] Reserved bits

Toby tmiller at ...1185...
Sat Jan 20 16:10:29 EST 2001

I have seen a few e-mails in the past couple of days talking about the
reserved bits and ECN. I just want to clear up a few things and
hopefully this  e-mail will.
Remember, that as of right now ECN is being being seen in Linux Kernel
2.4 not Internet wide. That being said lets look at how ECN makes a
connection(RFC 2884):

1. In the connection setup phase, the source and destination TCPs
   have to exchange information about their desire and/or capability to
   use ECN. This is done by setting both the ECN-Echo flag and the CWR
   flag in the SYN packet of the initial connection phase by the sender;

   on receipt of this SYN packet, the receiver will set the ECN-Echo
   flag in the SYN-ACK response. Once this agreement has been reached,
   the sender will thereon set the ECT bit in the IP header of data
   packets for that flow, to indicate to the network that it is capable
   and willing to participate in ECN. The ECT bit is set on all packets
   other than pure ACK's.

Understanding that will help all trying identying ECN. Also keep in mind
that basic IDS rules aply. If you have a packet where the reserved bit
set and the packet is going to a high destenation port. I would be
careful and look at the packets before and after that packet.. just to
be on the safe side.
Also, remember since ECN is now becoming widely accepted throughout the
internet that attackers will take advantage of this and send packets
with the reserve bits set and hope that people will automatically say
they are ECN.



More information about the Snort-users mailing list