Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: Darren Reed <darrenr () cyber com au>
Date: Sun, 22 Feb 1998 01:17:33 +1100 (EST)
In some mail I received from tqbf () secnet com, sie wrote
First off, a nit: overlapping fragments with inconsistant data are never^^^^^^^^^^^^^^^^^^^^^going to be the valid output of a TCP/IP stack.Note underlined text.I don't know that the same^^^^^is true of all overlapping fragments.^^^ Note underlined text.Wrong. If you have asymetrical routing and different MTU's on each route then it is possible. Oh, it also requires path MTU discovery to be off.You're saying that it's possible to get fragments which overlap and which have inconsistant data in normal traffic? How?
You don't know that it is correct until it is checksumed, and you can't checksum it until it's all reassembled. Data corruption occurs, especially with serial connections such as PPP that end up propogating erroneous data. Actually, I didn't read the "inconsistant data" at first, and just thought you were saying overlapping fragments weren't a part of real TCP/IP so I had to find another scenario (okay, so it's remote...) that would allow what you claim to be "attack-only" to occur `naturally' O:-) I hope I've found one. Oh, that scenario does rely on the layer 2 protocol not doing any checksumming. So if I had two PPP connections, with different MTU's and doing load sharing over them, I could concievably create situations which manufacture the type of packets that you're classing as an "attack". Darren p.s. tabs in text don't quote very well :/
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection Michael T. Stolarchuk (Feb 19)
- RE: Important Comments re: INtrusion Detection Kurt Ziegler (Feb 19)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 19)
- Re: Important Comments re: INtrusion Detection Barney Wolff (Feb 20)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 20)
- Re: Important Comments re: INtrusion Detection marc (Feb 20)
- Re: Important Comments re: INtrusion Detection Barney Wolff (Feb 20)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 20)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 21)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)
- Re: Important Comments re: INtrusion Detection Vern Paxson (Feb 21)