Christmas tree packet
Encyclopedia
In information technology
, a Christmas tree packet is a packet with every single option set for whatever protocol is in use. The term derives from a fanciful image of each little option bit in a header being represented by a different-colored light bulb, all turned on, as in, "the packet was lit up like a Christmas tree." It can also be known as a kamikaze packet, nastygram or a lamp test segment.
Christmas tree packets can be used as a method of divining the underlying nature of a TCP/IP
stack by sending the packets and awaiting and analyzing the responses. When used as part of scanning a system, the TCP header of a Christmas tree packets has the flags SYN, FIN, URG and PSH set. Many operating systems implement their compliance with the Internet Protocol
standard (RFC 791) in varying or incomplete ways. By observing how a host responds to an odd packet, such as a Christmas tree packet, assumptions can be made regarding the host's operating system. Versions of Microsoft Windows
, BSD/OS
, HP-UX
, Cisco IOS
, MVS
, and IRIX
display behaviors that differ from the RFC
standard when queried with said packets.
Some stateless firewalls only check against security policy those packets which have the SYN flag set (that is, packets that initiate connection according to the standards). Since Christmas tree scan packets do not have the SYN flag turned on, they can pass through these simple systems and reach the target host.
A large number of Christmas tree packets can also be used to conduct a DoS attack
by exploiting the fact that Christmas tree packets require much more processing by routers and end-hosts than the 'usual' packets do.
Christmas tree packets can be easily detected by intrusion-detection system
s or more advanced firewalls. From a network security
point of view, Christmas tree packets are always suspicious and indicate a high probability of network reconnaissance
activities.
Information technology
Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...
, a Christmas tree packet is a packet with every single option set for whatever protocol is in use. The term derives from a fanciful image of each little option bit in a header being represented by a different-colored light bulb, all turned on, as in, "the packet was lit up like a Christmas tree." It can also be known as a kamikaze packet, nastygram or a lamp test segment.
Christmas tree packets can be used as a method of divining the underlying nature of a TCP/IP
Internet protocol suite
The Internet protocol suite is the set of communications protocols used for the Internet and other similar networks. It is commonly known as TCP/IP from its most important protocols: Transmission Control Protocol and Internet Protocol , which were the first networking protocols defined in this...
stack by sending the packets and awaiting and analyzing the responses. When used as part of scanning a system, the TCP header of a Christmas tree packets has the flags SYN, FIN, URG and PSH set. Many operating systems implement their compliance with the Internet Protocol
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
standard (RFC 791) in varying or incomplete ways. By observing how a host responds to an odd packet, such as a Christmas tree packet, assumptions can be made regarding the host's operating system. Versions of Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
, BSD/OS
BSD/OS
BSD/OS was a proprietary version of the BSD operating system developed by Berkeley Software Design, Inc. ....
, HP-UX
HP-UX
HP-UX is Hewlett-Packard's proprietary implementation of the Unix operating system, based on UNIX System V and first released in 1984...
, Cisco IOS
Cisco IOS
Cisco IOS is the software used on the vast majority of Cisco Systems routers and current Cisco network switches...
, MVS
MVS
Multiple Virtual Storage, more commonly called MVS, was the most commonly used operating system on the System/370 and System/390 IBM mainframe computers...
, and IRIX
IRIX
IRIX is a computer operating system developed by Silicon Graphics, Inc. to run natively on their 32- and 64-bit MIPS architecture workstations and servers. It was based on UNIX System V with BSD extensions. IRIX was the first operating system to include the XFS file system.The last major version...
display behaviors that differ from the RFC
Request for Comments
In computer network engineering, a Request for Comments is a memorandum published by the Internet Engineering Task Force describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.Through the Internet Society, engineers and...
standard when queried with said packets.
Some stateless firewalls only check against security policy those packets which have the SYN flag set (that is, packets that initiate connection according to the standards). Since Christmas tree scan packets do not have the SYN flag turned on, they can pass through these simple systems and reach the target host.
A large number of Christmas tree packets can also be used to conduct a DoS attack
Denial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
by exploiting the fact that Christmas tree packets require much more processing by routers and end-hosts than the 'usual' packets do.
Christmas tree packets can be easily detected by intrusion-detection system
Intrusion-detection system
An intrusion detection system is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor...
s or more advanced firewalls. From a network security
Network security
In the field of networking, the area of network security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources...
point of view, Christmas tree packets are always suspicious and indicate a high probability of network reconnaissance
Reconnaissance
Reconnaissance is the military term for exploring beyond the area occupied by friendly forces to gain information about enemy forces or features of the environment....
activities.