Ethereal-dev: [Ethereal-dev] Detecting TCP Timestamp PAWS DoS from tracefile

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "J.Smith" <lbalbalba@xxxxxxxxxxx>
Date: Sat, 6 Aug 2005 12:26:16 +0200


Hi.


At our site, we have the impression that we might have been hit by the
following issue :

Multiple Vendor TCP Timestamp PAWS Remote Denial Of Service Vulnerability
http://www.securityfocus.com/bid/13676

In a nutshell, the issue manifests if an attacker transmits a sufficient TCP
PAWS packet to a vulnerable computer. A large value is set by the attacker
as the packet timestamp. When the target computer processes this packet, the
internal timer is updated to the large attacker supplied value. This causes
all other valid packets that are received subsequent to an attack to be
dropped as they are deemed to be too old, or invalid. This type of attack
will effectively deny service for a target connection.

Fortunately, we have a tracefile of some of the traffic that hit our site at the time. I was wondering how easy it would be to 'proof' that we did indeed
experience this issue with the use of Ethereal ? For example, would
Ethereal's TCP Analysis Flags be able to assist with detecting this behavior
in a tracefile ? Or any other of Ethereal's options ?


Thanks,


John Smith.