Xmas Tree And Tcp Header Flags

The Xmas Tree attack is so named because all the bit flags are set on within the TCP header. The idea is to cause the recipient host to respond, thus causing a DoS. Recall the TCP flag bits SYN, rst, ACK, urg, and others from

This d^LirienUs created with trial version ofCHM2pDFpilot2.15.72^hen they do it's an indication of a crafted packet.

Xmas Tree attacks are quite uncommon. However, it's important to consider the TCP flags when examining packets. Setting these flags with invalid combinations is almost always an indication of a crafted packet (though it also could in a few instances indicate broken or misconfigured software). The goal of the crafted packet might be anything from reconnaissance to an active attack such as one to get through a firewall.

The following capture sets the TCP flags syn, fin, rst, and push, which should never show up in a real packet. It was created with the hping2 command:

hping2 -SFRP 192.168.1.2

There are three packets in this capture. Notice the source port increments and that the destination port is 0. The TCP flags are also shown, SFRP in this case. Seeing this in the wild should cause the intrusion analyst to immediately begin investigating the packets according to the security policy.

13:20:03.98 9780 IP (tos 0x0, ttl 64, id 2270, offset 0, flags [none], length: \ 40) 192.168.1.10.2687 > 192.168.1.2.0: SFRP [tcp sum ok] \ 925164686:925164686(0) win 512 13:20:04.98 9734 IP (tos 0x0, ttl 64, id 9285, offset 0, flags [none], \

length: 40) 192.168.1.10.2688 > 192.168.1.2.0: SFRP [tcp sum ok] \ 1113258177:1113258177(0) win 512 13:20:05.98 9731 IP (tos 0x0, ttl 64, id 26951, offset 0, flags [none], \

length: 40) 192.168.1.10.2689 > 192.168.1.2.0: SFRP [tcp sum ok] \ 2097818687:2097818687(0) win 512

Continue reading here: Land Attack

Was this article helpful?