Unauthorized Use of Urgent Pointer Field

A.

The Urgent Pointer is used when some information has to reach the server ASAP.

When the TCP/IP stack at the other end sees a packet using the Urgent Pointer set, it is duty bound to stop all ongoing activities and immediately send this packet up the stack for immediate processing.

Since the packet is plucked out of the processing queue and acted upon immediately, it is known as an Out Of Band (OOB)packet and the data is called Out Of Band (OOB) data.

The Urgent Pointer is usually used in Telnet, where an immediate response (e.g.

the echoing of characters) is desirable.

Covert Channels are not directly synonymous with backdoors.

A covert channel is simply using a communication protocol in a way it was not intended to be used or sending data without going through the proper access control mechanisms or channels.

For example, in a Mandatory Access Control systems a user at secret has found a way to communicate information to a user at Confidential without going through the normal channels.

In this case the Urgent bit could be used for a few reasons: 1

It could be to attempt a Denial of service where the host receiving a packet with the Urgent bit set will give immediate attention to the request and will be in wait state until the urgent message is receive, if the sender does not send the urgent message then it will simply sit there doing nothing until it times out.

Some of the TCP/IP stacks used to have a 600 seconds time out, which means that for 10 minutes nobody could use the port.

By sending thousands of packet with the URGENT flag set, it would create a very effective denial of service attack.

2

It could be used as a client server application to transmit data back and forward without going through the proper channels.

It would be slow but it is possible to use reserved fields and bits to transmit data outside the normal communication channels.

The other answers are incorrect - Reference: http://www.fas.org/irp/nsa/rainbow/tg030.htm document covering the subject of covert channels and also see: http://gray-world.net/papers.shtml which is a large collection of documents on Covert Channels.

The "Urgent Pointer" field in a TCP packet is used to indicate the position of the last byte in a sequence of urgent data. Urgent data is used to indicate data that should be processed before other data in the receiving system's buffer.

In this scenario, the security staff at a highly profitable bank logs all network traffic for later review. The staff notices that every Friday, when major deposits are made, a series of bits is being placed in the "Urgent Pointer" field of a TCP packet. This is concerning because it is a deviation from the normal network traffic behavior, and may indicate a security breach.

Option A is the correct answer as it highlights the potential for covert channeling, which refers to the unauthorized transfer of information over a communication channel that is not intended for that purpose. Covert channels are a common technique used by attackers to bypass security measures and steal information from a system.

Option B is incorrect because a damaged network cable would not cause a consistent behavior on a specific day of the week, and the "Urgent Pointer" field is not related to physical network issues.

Option C is also incorrect because a malfunctioning network card or driver would not cause consistent behavior on a specific day of the week, and it would not consistently affect the "Urgent Pointer" field.

Option D is incorrect because it suggests that the behavior is normal and caused by a known issue with the TCP protocol. However, the consistent behavior on a specific day of the week is not normal and may indicate a security breach.

Therefore, the best course of action is to investigate the behavior further and determine if it is a sign of covert channeling or other security issues.