What is an address?

It is a location of data, usually in main memory or on a disk. It is an array of storage boxes, each of which is one byte in length. Each box has an address—a unique number assigned to it, which makes it easier to locate.

Addresses

What is an array?

An array is a regular order or arrangement containing a fixed number of contiguously storage elements (that is, there are no gaps between elements) of the same data type (although they may have different values). We could have an array of integers, an array of characters or an array of anything that has a defined data type.

For example, we could store the first 10 prime numbers (1, 2, 3, 5, 7, 11, 13, 17, 19, 23) in RAM by storing them as individual integer variables one for each number. Using the following c declaration:

Since an array is a fixed number of contiguous storage all of the same data type, in RAM (assuming that the first contiguous block was at address 2000) it would look like this (2-bytes per integer):

Arrays can have more than one dimension. A one-dimensional array is called a vector or pointer, which contains the address of a location in memory; a two-dimensional array is called a matrix, that is, an array of rows and columns.

What is a string?

A string is a sequence of data values, usually bytes, which stand for characters (a “character string”). A character string differs from a name in that it does not represent anything. For example, a bit string is a sequence of bits.

A character string is usually defined by enclosing the characters in single or double quotes:

WASHINGTON would be a name, but 'WASHINGTON' and "WASHINGTON" would be character strings.

The length of a character string is usually the number of characters in it:

The character string "WASHINGTON" has a length of 10 (the quote marks are not included).

What is an offset?

An offset (subscript) is an index or position in an array, string, or block of memory—usually a non-negative integer.

For example: 0, 1, 2, 3…

It is a value added to a base address to create a second address.

For example, if B represents address 100, then the expression,

B+5

would indicate the address 105. The 5 in the expression, is the offset.

Okay, now that we know the basic word definitions, what happens if we use “illegal” offsets?

Illegal offsets are alterations than can cause malicious fragmentation, most commonly known as computer viruses. Many attackers, for example, send illegal offsets within a TCP packet.

TCP stands for Transmission Control Protocol. It is a connection-oriented protocol that utilizes various flags to indicate that a connection is being started or ended, or that there’s a high priority on the data that it carries.

Attackers alter the TCP flags in a way that firewalls or intrusion detection systems are unable to detect them.

What are flags?

Flags are a bit of information that signals a particular condition or status. For example, a record might contain an error flag to indicate that the record consists of incorrect data.

What type of flags should be set in a TCP packet?

At least one of the following flags should be set in a TCP packet; each one takes up to 1 bit of storage.

SYN (Synchronization)	Initiate a TCP connection.
ACK (Acknowledgment)	Indicates that the value in the acknowledgment number field is valid.
FIN (Finish)	Smoothly end a TCP connection.
RST (Reset)	Quickly end a TCP connection.
PSH (Push)	Tells the receiver to pass on the data as quickly as possible.
URG (Urgent)	Indicates that the urgent pointer is valid.

Note: Besides the six flag bits described here, TCP packets have two additional bits which are reserved for future use. These are commonly referred to as the "reserved bits".

What constitutes a normal flag combination?

The following are normal flag combinations:

SYN, SYN ACK, ACK	Every packet in a connection must have the ACK bit set, except for the initial SYN packet.
FIN ACK, ACK	These are used during the smooth ending of a connection.
PSH FIN ACK	Is also seen at the start of a smooth termination.
RST or RST ACK	Can be used to quickly end an existing connection.

What are the abnormal flag combinations (viruses) an attacker may send to a computer?

The following are examples of abnormal flag combinations.

SYN FIN	Is the best known illegal combination. Remember: SYN is used to start a connection, and FIN is used to end a connection. Therefore, any SYN FIN packets are malicious.
SYN FIN PSH, SYN FIN RST, SYN FIN RST PSH	Attackers who know that certain intrusion detection systems may be looking for packets with only the SYN and FIN bits set, not additional bits set use these packets, which are definitely malicious.
FIN	FIN packets are used for port scans and network mapping. Packets must never contain just a FIN flag.
Null	These packets have no flags set. It is illegal to have a packet with zero flags set.