Thursday, July 22, 2010

IDS Evasion on Linux Off-by-one TCP Timestamps

A very good article explaining potential IDS/IPS evasion with Linux 2.4/2.6 Kernel using off-by-one TCP timestamps.
In a nutshell, TCP timestamps can be included as a TCP option to specify the sending host's timestamp and echo the most recently received timestamp from the other side of the connection. The notion of time or timestamp is not the typical one since it denotes, for most operating systems except OpenBSD, a representation of the uptime of the host since the last reboot.