Re: TCP segments with overlapping data

[Vern Paxson <vern () aciri org>]

> I am getting IDS messages that say that there are TCP segments with
> overlapping data.
> ...
> Has anybody seen this?

Yes.  In general, if you monitor a sufficiently large traffic stream (e.g.,
a big site like a campus), you will see the darnedest things, and not as
attacks but just as benign junk.  See section 7.3, "Crud seen on a DMZ", of:

        http://www.aciri.org/vern/papers/bro-CN99.html

> My question is what is TCP overlapping data?
> Assuming a layer 2 problem: Is it that the offset in the IP header is
> overlapping for a packet with the same ID?

It's not a layer 2 problem.  Each TCP data packet ("segment") spans a
range of sequence numbers, with each byte in the segment occupying one
sequence number.  You can get overlap when, for example, a TCP sender
transmits a segment with sequence numbers 1-512 in one packet, and then
later transmits 256-768 in another packet; or 1-768 in another (larger)
packet.

The first of these doesn't happen often.  The second is more common, and
can occur because the sender has acquired new data to transmit (from the
sending application) between when it first transmitted and when it retransmits.
This is particularly common for situations like sending keystrokes; the
first packet will have sequence 18-18 in it, corresponding to a single
keystroke, and a later transmission will have 18-19, corresponding to
a retransmission of 18 and a new transmission of 19.

> What is the vulnerability associated?

There are two.  First, the overlap may confuse the algorithm used by some
IDS's for tracking connection contents.  Second, there is an evasion attack
in which you send *different* contents in for the overlapping regions.
There's a discussion of this in section 5.3 of the above-mentioned paper
("Subterfuge attacks").

                Vern
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards