[Snort-users] Reserved bits

Toby tmiller at ...1185...
Sat Jan 20 16:35:37 EST 2001


"Crist J. Clark" wrote:

> On Sat, Jan 20, 2001 at 03:10:29PM -0600, Toby wrote:
> > All,
> > I have seen a few e-mails in the past couple of days talking about the
> > reserved bits and ECN. I just want to clear up a few things and
> > hopefully this  e-mail will.
> > Remember, that as of right now ECN is being being seen in Linux Kernel
> > 2.4 not Internet wide. That being said lets look at how ECN makes a
> > connection(RFC 2884):
> >
> > 1. In the connection setup phase, the source and destination TCPs
> >    have to exchange information about their desire and/or capability to
> >    use ECN. This is done by setting both the ECN-Echo flag and the CWR
> >    flag in the SYN packet of the initial connection phase by the sender;
> >
> >    on receipt of this SYN packet, the receiver will set the ECN-Echo
> >    flag in the SYN-ACK response. Once this agreement has been reached,
> >    the sender will thereon set the ECT bit in the IP header of data
> >    packets for that flow, to indicate to the network that it is capable
> >    and willing to participate in ECN. The ECT bit is set on all packets
> >    other than pure ACK's.
> >
> > Understanding that will help all trying identying ECN. Also keep in mind
> > that basic IDS rules aply. If you have a packet where the reserved bit
> > set and the packet is going to a high destenation port. I would be
> > careful and look at the packets before and after that packet.. just to
> > be on the safe side.
> > Also, remember since ECN is now becoming widely accepted throughout the
> > internet that attackers will take advantage of this and send packets
> > with the reserve bits set and hope that people will automatically say
> > they are ECN.
>
> Also remember as ECN come into more use, the threat represented by the
> "reserved bits" also declines. Since more IP stack implmenters will
> need to worry about the reserved bits, there should be better behavior
> from various IP stacks when confronted with the high-bits set. The
> primary malicious uses of the bits, fingerprintint and stealth, should
> become less effective.
> --
> Crist J. Clark                           cjclark at ...485...

I agree totally.... but until that happens this is a great chance for a
attacker|script kiddie to get a "freebie"(if you know what I mean).  All we
can do now is to help everyone understand this standard and hopefully detect
anyone using the reserve bits the "old fashion way".

Toby





More information about the Snort-users mailing list