Ronnie,
Thank you for taking the time and effort to respond to my question(s).
but that could be added if this is a common issue
It appears to be an issue that is common for multiple vendors/platforms.
and if it would be helpful when analyzing traces.
Well I can't speak for others, but it would certainly be helpful to me.
It would be possible to add checking , if present, of the tcp
timestamps to the current engine.
i can add it to the seq number analysis and mark the packets with
[TCP too old due to timestamp] or something like that.
If something like that would be possible, then that would be really
appreciated. If I understand the issue correctly, then any relevant checks
would have to verify that the timestamps used within a given tcp session are
somewhat 'consecutive' ? Or if the timestamp value was set to a large value
by the attacker, then it will likely be larger than the timestamp values in
any subsequent incoming segments ?
can you send me a capture with such tcp segments with a timestamp that
Unfortunately, I am afraid that I cannot assist in that manner in this case.
Our security policy will not allow us to submit the actual tracefile
(anonymized or not). However, a proof of concept exploit appears to be
publicly available at securityfocus, so you should be able to reproduce the
issue for yourself.
http://www.securityfocus.com/bid/13676/exploit
Sincerely,
John Smith.
----- Original Message -----
From: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>
To: "Ethereal development" <ethereal-dev@xxxxxxxxxxxx>
Sent: Monday, August 08, 2005 1:23 AM
Subject: [Ethereal-dev] Re: Detecting TCP Timestamp PAWS DoS from tracefile
I dont think ethereal will help here,
the tcp analysis engine does not look at tcp timestamps but that
could be added if this is a common issue and if it would be helpful
when analyzing traces.
It would be possible to add checking , if present, of the tcp
timestamps to the current engine.
can you send me a capture with such tcp segments with a timestamp that
would cause the tcp to ignore future packets and i can add it to the
seq number analysis and mark the packets with
[TCP too old due to timestamp] or something like that.
On 8/6/05, J.Smith <lbalbalba@xxxxxxxxxxx> wrote:
Hi.
At our site, we have the impression that we might have been hit by the
following issue :
Multiple Vendor TCP Timestamp PAWS Remote Denial Of Service Vulnerability
http://www.securityfocus.com/bid/13676
In a nutshell, the issue manifests if an attacker transmits a sufficient
TCP
PAWS packet to a vulnerable computer. A large value is set by the
attacker
as the packet timestamp. When the target computer processes this packet,
the
internal timer is updated to the large attacker supplied value. This
causes
all other valid packets that are received subsequent to an attack to be
dropped as they are deemed to be too old, or invalid. This type of attack
will effectively deny service for a target connection.
Fortunately, we have a tracefile of some of the traffic that hit our site
at
the time. I was wondering how easy it would be to 'proof' that we did
indeed
experience this issue with the use of Ethereal ? For example, would
Ethereal's TCP Analysis Flags be able to assist with detecting this
behavior
in a tracefile ? Or any other of Ethereal's options ?
Thanks,
John Smith.
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev
_______________________________________________
Ethereal-dev mailing list
Ethereal-dev@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-dev