[Snort-users] Reserved bits

Crist J. Clark cjclark at ...960...
Sat Jan 20 15:28:52 EST 2001


On Sat, Jan 20, 2001 at 03:10:29PM -0600, Toby wrote:
> All,
> I have seen a few e-mails in the past couple of days talking about the
> reserved bits and ECN. I just want to clear up a few things and
> hopefully this  e-mail will.
> Remember, that as of right now ECN is being being seen in Linux Kernel
> 2.4 not Internet wide. That being said lets look at how ECN makes a
> connection(RFC 2884):
> 
> 1. In the connection setup phase, the source and destination TCPs
>    have to exchange information about their desire and/or capability to
>    use ECN. This is done by setting both the ECN-Echo flag and the CWR
>    flag in the SYN packet of the initial connection phase by the sender;
> 
>    on receipt of this SYN packet, the receiver will set the ECN-Echo
>    flag in the SYN-ACK response. Once this agreement has been reached,
>    the sender will thereon set the ECT bit in the IP header of data
>    packets for that flow, to indicate to the network that it is capable
>    and willing to participate in ECN. The ECT bit is set on all packets
>    other than pure ACK's.
> 
> Understanding that will help all trying identying ECN. Also keep in mind
> that basic IDS rules aply. If you have a packet where the reserved bit
> set and the packet is going to a high destenation port. I would be
> careful and look at the packets before and after that packet.. just to
> be on the safe side.
> Also, remember since ECN is now becoming widely accepted throughout the
> internet that attackers will take advantage of this and send packets
> with the reserve bits set and hope that people will automatically say
> they are ECN.

Also remember as ECN come into more use, the threat represented by the
"reserved bits" also declines. Since more IP stack implmenters will
need to worry about the reserved bits, there should be better behavior
from various IP stacks when confronted with the high-bits set. The
primary malicious uses of the bits, fingerprintint and stealth, should
become less effective.
-- 
Crist J. Clark                           cjclark at ...485...




More information about the Snort-users mailing list