Deliver Us From Evil Bits

Detection of worms and viruses would be much easier if programmers would only respect an established IPv4 flag

April 1, 2004

3 Min Read
Deliver Us From Evil Bits

One year after an Internet Engineering Task Force (IETF) document established the flagging of "evil" packets, bad stuff continues to worm its way around the net. Despite a clear definition, it appears the Evil Bit remains ignored by many.

The Evil Bit, specified by Request for Comments (RFC) 3514, is a flag in the IPv4 header that can determine the intentions of a particular packet. Like a concerned father quizzing his daughter's dates, the Evil Bit could stop problems at the door.

The Evil Bit works according to a complex algorithm:

Table 1: Evil Bit: Format

Value of "E"






Developed by AT&T Corp. (NYSE: T) research fellow Steven Bellovin, the Evil Bit debuted one year ago today, so programmers have had plenty of time to incorporate it.

Astoundingly, worms, viruses, and denial of service attacks -- many with clear evil intent -- have failed to adhere to RFC 3514. "There are lots of unmarked but evil packets floating around the net. We clearly need more enforcement activity to stop such non-compliant behavior," Bellovin writes in an email to Light Reading.

An author of the book Firewallsand Internet Security: Repelling the Wily Hacker, Bellovin has a background in security that qualified him to draft the Evil Bit.

"I'd been using it as a throw-away line for years, in my lectures on firewalls," he writes. "I'd say, 'If we knew which packets were evil, we could discard them very easily; since we don't know that, we have to use port numbers, etc.' Then I became one of the Security Area directors, which meant that I was reading lots of [IETF] drafts, and absorbing the proper style. After that, all I needed was time."

Several observers have drawn parallels to David Waitzman's RFC 1149 for transmission by carrier pigeon. They're not unrelated, Bellovin notes: "Well, pigeon output is almost always evil."Bellovin hasn't tracked RFC 3514's popularity among evildoers ("I'm not in close contact with the Evil community," he writes). But he's gotten some disturbingly earnest queries about implementation, including this one from a Microsoft security engineer:

  • What or who determines the "evilness" or "goodness" of the packet? If a security admin or OS can determine or flag bits as good, what keeps the hacker from spoofing this process by setting the bit to "good"? Does the bit change based on behavior? Or maybe a database with signatures of "bad" bits?

Bellovin's response to the question is unknown, but there's a chance no one would have thought of spoofing the Evil Bit until this guy brought it up. Nice going, Mr. Helpful.

When it comes to only partially evil messages, such as decade-old jokes still making the rounds, help is on the way. IPv6, with its larger header, would fit a 128-bit Evil flag, allowing for gradations of evil. It's feasible that a future RFC would define levels such as "sort of evil," "really, really evil," or (for emails) "evil, but urgent."

But even after IPv6, more work remains. The advent of all-optical switching would create problems with the Evil Bit, since traffic would be able to bypass routers. Thus, Bellovin's RFC notes the industry may need ways to detect evil wavelengths or evil polarization. Will Evil never rest?

— Craig Matsumoto, Senior Editor, Light Reading

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like