The Christmas Tree attack is a real world method of determining the underlying nature of a TCP/IP stack and is often used in the reconnoitre phase of hacking naughtiness but can also be used in DoS attacks.
I expect that most of you Security professional’s out there have heard of it and had experience of hardening systems against it. But, for those who haven’t, a bit of background.
Within the header of a TCP packet, there are a series of flags that can be set to tell the receiving system how to process it and the following packets. The term “Christmas tree” comes from thinking of each flag as a different-coloured light bulb – hence, with all flags set, the packet lights up like a Christmas tree! A bit tenuous but . . . the imagery works.
As part of the TCP standard, if a closed destination port receives a packet without a ReSeT flag set in it, it will return a RST packet in response. If the port is open, any segment without a SYN, RST or ACK will be dropped and therefore no response is sent.
OK – that’s all very cool and deeply uninteresting (read: technical) but what does that have to do with Christmas trees? Well, by sending a packet with (say) URGent, PuSH and FINish flags set (half the bulbs lit), closed ports will send a RST back and open ones will remain silent. So, something can be remotely determined about the system that may be useful in furthering infiltration of the target.
The key about Christmas tree packets is that they can pass unhindered through some non-stateful firewalls and packet filtering routers. In addition, these packets are less likely to be detected than even a simple SYN scan.
Because Christmas tree packets are crafted in a non-standard way, things like routers and end hosts don’t “understand” them and due to the large amount of processing required, they can be brought to a standstill – in other words an effective DoS attack.
To be fair, most modern Intrusion IDS/IPS and Next Generation Firewalls will detect and mitigate Christmas tree packets but, there are a lot of ageing and poorly patched systems out there that will not.
With the Christmas wind-down coming and change freezes coming in, now might be a good time to run some NMAP scans on your network (for example) – it’s the –sX switch for Christmas tree scan if you run it from the command line – just to be sure there are no loopholes.
Merry Christmas and Happy Networking!