Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Important Comments re: INtrusion Detection

From: Darren Reed <darrenr () cyber com au>
Date: Sun, 22 Feb 1998 01:17:33 +1100 (EST)
In some mail I received from tqbf () secnet com, sie wrote



First off, a nit: overlapping fragments with inconsistant data are
never

                                             ^^^^^^^^^^^^^^^^^^^^^

going to be the valid output of a TCP/IP stack. 


Note underlined text.


I don't know that the same

                         ^^^^^


is true of all overlapping fragments. 

               ^^^

Note underlined text.


Wrong.  If you have asymetrical routing and different MTU's on each route
then it is possible.  Oh, it also requires path MTU discovery to be off.


You're saying that it's possible to get fragments which overlap and which
have inconsistant data in normal traffic? How?


You don't know that it is correct until it is checksumed, and you can't
checksum it until it's all reassembled.

Data corruption occurs, especially with serial connections such as PPP that
end up propogating erroneous data.

Actually, I didn't read the "inconsistant data" at first, and just thought
you were saying overlapping fragments weren't a part of real TCP/IP so I
had to find another scenario (okay, so it's remote...) that would allow
what you claim to be "attack-only" to occur `naturally' O:-)  I hope I've
found one.  Oh, that scenario does rely on the layer 2 protocol not doing
any checksumming.  So if I had two PPP connections, with different MTU's
and doing load sharing over them, I could concievably create situations
which manufacture the type of packets that you're classing as an "attack".

Darren

p.s. tabs in text don't quote very well :/
Previous By Date Next
Previous By Thread Next

Current thread: