Christmas tree packet

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Christmas tree packet" – news · newspapers · books · scholar · JSTOR (July 2012) (Learn how and when to remove this template message)

In information technology, a Christmas tree packet (also known as a kamikaze packet, nastygram, or lamp test segment) is a packet with every single option set for whatever protocol is in use.

Background[edit]

Christmas tree packets can be used as a method of TCP/IP stack fingerprinting, exposing the underlying nature of a TCP/IP stack by sending the packets and then awaiting and analyzing the responses. When used as part of scanning a system, the TCP header of a Christmas tree packet has the flags FIN, URG and PSH set.^{[citation needed]} Many operating systems implement their compliance with the Internet Protocol standards^[1][2] in varying or incomplete ways. By observing how a host responds to an odd packet, such as a Christmas tree packet, inferences can be made regarding the host's operating system. Versions of Microsoft Windows, BSD/OS, HP-UX, Cisco IOS, MVS, and IRIX display behaviors that differ from the RFC standard when queried with said packets.^[3]

A large number of Christmas tree packets can also be used to conduct a DoS attack by exploiting the fact that Christmas tree packets require much more processing by routers and end-hosts than the "usual" packets do.

Christmas tree packets can be easily detected by intrusion-detection systems or more advanced firewalls. From a network security point of view, Christmas tree packets are always suspicious and indicate a high probability of network reconnaissance activities.

See also[edit]

• Martian packet

References[edit]

External links[edit]

• Nmap documentation