Wireshark · Ethereal-dev: Re: [Ethereal-dev] Detecting TCP Timestamp PAWS DoS from tracefile

["J.Smith" <lbalbalba@xxxxxxxxxxx>]

> is there a way to easily verify that at least all timestamps are somewhat 
> 'consequtive' ? And if the timestamp value was set to a large value by the 
> attacker, then it will likely be larger than the timestamp values in 
> subsequent incoming segments
Would 'Mate' be able to assist in easily filtering based on these kind of 
criteria ? I checked the manual pages for Mate and it seems at least 
somewhat plausible at first glance, but I couldn't figure it out ...


If someone would be able to assist with that, then that would be greatly 
appreciated.


Thanks,


John Smith.


----- Original Message ----- 
From: "J.Smith" <lbalbalba@xxxxxxxxxxx>
To: "Ethereal development" <ethereal-dev@xxxxxxxxxxxx>
Sent: Sunday, August 07, 2005 11:05 AM
Subject: Re: [Ethereal-dev] Detecting TCP Timestamp PAWS DoS from tracefile


> Thanks for all the responses. However, I still dont see my original 
> question answered in here, as the topic seems to have gone a little 
> off-topic.
> ;)
>
> If I understand the issue I originally mentioned correctly, then the 
> attacker injects a forged packet into the stream that has a TCP timestamp 
> that lies somewhere into the future, causing all subsequent packets to be 
> dropped because they are deemed to be too old or invalid, effectively 
> 'stalling'  the connection.
>
> So are there any Ethereal options that might be able to assist in 
> detecting this from a tracefile, without having to check the timestamps 
> from all individual packets manually ? For example, is there a way to 
> easily verify that at least all timestamps are somewhat 'consequtive' ? 
> And if the timestamp value was set to a large value by the attacker, then 
> it will likely be larger than the timestamp values in subsequent incoming 
> segments - would it be easy to detect this with Ethereal ?.
>
>
> Thanks,
>
>
> John Smith.