[Snort-users] Detecting TCP Timestamp PAWS DoS from tracefile

J.Smith lbalbalba at ...125...
Sun Aug 7 03:44:35 EDT 2005


At our site, we have the impression that we might have been hit by the 
following issue :

Multiple Vendor TCP Timestamp PAWS Remote Denial Of Service Vulnerability

TCP does not adequately validate segments before updating timestamp value

In a nutshell, the issue manifests if an attacker transmits a sufficient TCP 
PAWS packet to a vulnerable computer. A large value is set by the attacker 
as the tcp packet timestamp. When the target computer processes this packet, 
the internal timer is updated to the large attacker supplied value. This 
causes all other valid packets that are received subsequent to an attack to 
be dropped as they are deemed to be too old, or invalid. This effectively 
'stalls' the connection, which will deny service for a target connection.

Fortunately, we have a tracefile of some of the traffic that hit our site at 
the time. I was wondering how easy it would be to 'proof' that we did indeed 
experience this issue with the use of snort ? I did a quick scan of the 
snort ruleset database, but it appears that detection of this issue is not 
included in the snort database yet ?


John Smith.

More information about the Snort-users mailing list