I dont think ethereal will help here,
the tcp analysis engine does not look at tcp timestamps but that
could be added if this is a common issue and if it would be helpful
when analyzing traces.
It would be possible to add checking , if present, of the tcp
timestamps to the current engine.
can you send me a capture with such tcp segments with a timestamp that
would cause the tcp to ignore future packets and i can add it to the
seq number analysis and mark the packets with
[TCP too old due to timestamp] or something like that.
On 8/6/05, J.Smith <lbalbalba@xxxxxxxxxxx> wrote:
>
>
> Hi.
>
>
> At our site, we have the impression that we might have been hit by the
> following issue :
>
> Multiple Vendor TCP Timestamp PAWS Remote Denial Of Service Vulnerability
> http://www.securityfocus.com/bid/13676
>
> In a nutshell, the issue manifests if an attacker transmits a sufficient
> TCP
> PAWS packet to a vulnerable computer. A large value is set by the attacker
> as the packet timestamp. When the target computer processes this packet,
> the
> internal timer is updated to the large attacker supplied value. This
> causes
> all other valid packets that are received subsequent to an attack to be
> dropped as they are deemed to be too old, or invalid. This type of attack
> will effectively deny service for a target connection.
>
> Fortunately, we have a tracefile of some of the traffic that hit our site
> at
> the time. I was wondering how easy it would be to 'proof' that we did
> indeed
> experience this issue with the use of Ethereal ? For example, would
> Ethereal's TCP Analysis Flags be able to assist with detecting this
> behavior
> in a tracefile ? Or any other of Ethereal's options ?
>
>
> Thanks,
>
>
> John Smith.
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>
