Ethereal-dev: Re: [Ethereal-dev] Detecting TCP Timestamp PAWS DoS from tracefile

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Alok" <alokdube@xxxxxxxxxx>
Date: Sat, 6 Aug 2005 20:57:03 +0530
resending atachmenet
----- Original Message ----- 
From: "Alok" <alokdube@xxxxxxxxxx>
To: "Ethereal development" <ethereal-dev@xxxxxxxxxxxx>
Sent: Saturday, August 06, 2005 8:54 PM
Subject: Re: [Ethereal-dev] Detecting TCP Timestamp PAWS DoS from tracefile


> which RFC defines the time stamp :-(
> I use version 10.7 on my windoze PC, it shows all packets transmitted from
> my PC as checksum incorrect..
> the ones coming from the external site are all deemed as correct though...
> seems like happens whenever TCP has a payload
> any ideazz!!??
>
> attached is a simple trace see frame 6,16,
>
> Doesnt seem like an ethereal bug to me, as non payload packets and those
> coming from a UNIX machine seem fine..
>
>
> ----- Original Message ----- 
> From: "J.Smith" <lbalbalba@xxxxxxxxxxx>
> To: <ethereal-dev@xxxxxxxxxxxx>
> Sent: Saturday, August 06, 2005 3:56 PM
> Subject: [Ethereal-dev] Detecting TCP Timestamp PAWS DoS from tracefile
>
>
> >
> >
> > Hi.
> >
> >
> >  At our site, we have the impression that we might have been hit by the
> >  following issue :
> >
> >  Multiple Vendor TCP Timestamp PAWS Remote Denial Of Service
Vulnerability
> >  http://www.securityfocus.com/bid/13676
> >
> >  In a nutshell, the issue manifests if an attacker transmits a
sufficient
> > TCP
> >  PAWS packet to a vulnerable computer. A large value is set by the
> attacker
> >  as the packet timestamp. When the target computer processes this
packet,
> > the
> >  internal timer is updated to the large attacker supplied value. This
> causes
> >  all other valid packets that are received subsequent to an attack to be
> >  dropped as they are deemed to be too old, or invalid. This type of
attack
> >  will effectively deny service for a target connection.
> >
> >  Fortunately, we have a tracefile of some of the traffic that hit our
site
> > at
> >  the time. I was wondering how easy it would be to 'proof' that we did
> > indeed
> >  experience this issue with the use of Ethereal ? For example, would
> >  Ethereal's TCP Analysis Flags be able to assist with detecting this
> > behavior
> >  in a tracefile ? Or any other of Ethereal's options ?
> >
> >
> >  Thanks,
> >
> >
> >  John Smith.
> >
> > _______________________________________________
> > Ethereal-dev mailing list
> > Ethereal-dev@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-dev
> >
>

Attachment: sample
Description: Binary data