Ethereal-dev: Re: [Ethereal-dev] Detecting TCP Timestamp PAWS DoS from tracefile
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
Thanks for all the responses. However, I still dont see my original question
answered in here, as the topic seems to have gone a little off-topic.
;)
If I understand the issue I originally mentioned correctly, then the
attacker injects a forged packet into the stream that has a TCP timestamp
that lies somewhere into the future, causing all subsequent packets to be
dropped because they are deemed to be too old or invalid, effectively
'stalling' the connection.
So are there any Ethereal options that might be able to assist in detecting
this from a tracefile, without having to check the timestamps from all
individual packets manually ? For example, is there a way to easily verify
that at least all timestamps are somewhat 'consequtive' ? And if the
timestamp value was set to a large value by the attacker, then it will
likely be larger than the timestamp values in subsequent incoming segments -
would it be easy to detect this with Ethereal ?.
Thanks,
John Smith.
