https://inliniac.net/blog/tag/window-scaling/ Recent content in Window-Scaling on Inliniac Hugo en Sat, 17 Nov 2007 13:55:38 +0000 https://inliniac.net/blog/2007/11/17/new-snort_inline-tcp-window-normalization-code-in-svn/ Sat, 17 Nov 2007 13:55:38 +0000 https://inliniac.net/blog/2007/11/17/new-snort_inline-tcp-window-normalization-code-in-svn/ <p>A while ago I <a href="http://www.inliniac.net/blog/2007/09/04/window-scaling-normalization-in-snort_inline-broken-by-design.html">wrote</a> about why the TCP window scaling normalization in Snort_inline was broken by design. I also wrote about a new solution I was working on and testing that would be uploaded to SVN soon. I just committed the patch to SVN. What it does is add two new options to stream4:</p> <blockquote> <p><strong>norm_window</strong>: normalize the TCP window (disabled by default). This is to protect Snort_inline from being forced to queue too many packets. <strong>max_win_size</strong>: maximum size of the scaled TCP window. Packets increasing the window beyond the limit are modified.</p> https://inliniac.net/blog/2007/09/04/window-scaling-normalization-in-snort_inline-broken-by-design/ Tue, 04 Sep 2007 15:51:25 +0000 https://inliniac.net/blog/2007/09/04/window-scaling-normalization-in-snort_inline-broken-by-design/ <p>After debugging some connection problems I found that the wscale normalization concept is flawed. I&rsquo;ll describe here what is wrong with it and then move on to suggest a different solution I&rsquo;m currently testing. The problem I was seeing is that some connections to some webservers stalled without an apparent reason.</p> <p>First a quick reminder of why I originally came up with the wscale normalization. Stream4 originally doesn&rsquo;t look at the window scaling value when determining the TCP window. This causes it to be wrong about the TCP window in about every connection, which is one of the reasons out of window packets are not dropped (this is actually a gaping evasion hole since these packets are not used in stream reassembly). This is why I decided to add window scaling support to the stream4inline extension. This works great and allows the admin to drop out of window packets. There is a problem associated with it though. The maximal window that is possible with wscaling is 1GB. This would mean that Snort_inline would in the worst case have to queue almost 1GB of data in it&rsquo;s buffers for a single stream. To prevent this being used by an attacker to attack Snort_inline, I wanted give the admin the option to set a maximal wscale size.</p> https://inliniac.net/blog/2007/06/16/tcp-window-scaling-in-snort_inline/ Fri, 15 Jun 2007 22:04:57 +0000 https://inliniac.net/blog/2007/06/16/tcp-window-scaling-in-snort_inline/ <p>The TCP window field in the TCP header is only 16 bits, so the maximum window size it can handle is only 64kb. A long time ago this was enough, but nowadays it isn&rsquo;t, by far. Luckily, this is something the window scaling option fixes. Window scaling is very common these days. Your pc or laptop probably uses it by default. Snort&rsquo;s stream4 however, does not support it. This means that when tracking and reassembling streams, Snort for most connections has no idea about what data is in window and which is out of window. To make matters worse, the packets that are in window when using wscaling, but appear out of window when the wscaling is not accounted for, are never used in the reassembly process. This makes Snort evadable.</p>