[Snort-users] Detecting TCP Timestamp PAWS DoS from tracefile
lbalbalba at ...125...
Sun Aug 7 03:44:35 EDT 2005
At our site, we have the impression that we might have been hit by the
following issue :
Multiple Vendor TCP Timestamp PAWS Remote Denial Of Service Vulnerability
TCP does not adequately validate segments before updating timestamp value
In a nutshell, the issue manifests if an attacker transmits a sufficient TCP
PAWS packet to a vulnerable computer. A large value is set by the attacker
as the tcp packet timestamp. When the target computer processes this packet,
the internal timer is updated to the large attacker supplied value. This
causes all other valid packets that are received subsequent to an attack to
be dropped as they are deemed to be too old, or invalid. This effectively
'stalls' the connection, which will deny service for a target connection.
Fortunately, we have a tracefile of some of the traffic that hit our site at
the time. I was wondering how easy it would be to 'proof' that we did indeed
experience this issue with the use of snort ? I did a quick scan of the
snort ruleset database, but it appears that detection of this issue is not
included in the snort database yet ?
More information about the Snort-users