Firewall Wizards mailing list archives
Re: TCP segments with overlapping data
From: Vern Paxson <vern () aciri org>
Date: Tue, 04 Dec 2001 23:49:49 -0800
I am getting IDS messages that say that there are TCP segments with overlapping data. ... Has anybody seen this?
Yes. In general, if you monitor a sufficiently large traffic stream (e.g., a big site like a campus), you will see the darnedest things, and not as attacks but just as benign junk. See section 7.3, "Crud seen on a DMZ", of: http://www.aciri.org/vern/papers/bro-CN99.html
My question is what is TCP overlapping data? Assuming a layer 2 problem: Is it that the offset in the IP header is overlapping for a packet with the same ID?
It's not a layer 2 problem. Each TCP data packet ("segment") spans a range of sequence numbers, with each byte in the segment occupying one sequence number. You can get overlap when, for example, a TCP sender transmits a segment with sequence numbers 1-512 in one packet, and then later transmits 256-768 in another packet; or 1-768 in another (larger) packet. The first of these doesn't happen often. The second is more common, and can occur because the sender has acquired new data to transmit (from the sending application) between when it first transmitted and when it retransmits. This is particularly common for situations like sending keystrokes; the first packet will have sequence 18-18 in it, corresponding to a single keystroke, and a later transmission will have 18-19, corresponding to a retransmission of 18 and a new transmission of 19.
What is the vulnerability associated?
There are two. First, the overlap may confuse the algorithm used by some IDS's for tracking connection contents. Second, there is an evasion attack in which you send *different* contents in for the overlapping regions. There's a discussion of this in section 5.3 of the above-mentioned paper ("Subterfuge attacks"). Vern _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- TCP segments with overlapping data miedaner (Dec 04)
- Re: TCP segments with overlapping data Ng Pheng Siong (Dec 05)
- <Possible follow-ups>
- Re: TCP segments with overlapping data Vern Paxson (Dec 05)