IDS mailing list archives
Re: TCP checksums; was Re: A new TCP/IP blind data injection technique? (on bugtraq)
From: Rahul <rahul () mmsl serc iisc ernet in>
Date: Tue, 16 Dec 2003 12:00:03 +0530 (IST)
Hi, I had read previously some talk about how some NIDS are able to mimic the stack of the target host accurately. This was in relation to re-assembly and defragmentation. So the NIDS that claim to mimic the network stacks of end-hosts correctly should have no problem dealing with zero-checksum packets. But what are the speeds such NIDS are capable of? Does anyone know? Rahul On Mon, 15 Dec 2003, Ron Gula wrote:
Most NIDS (NFR, Snort, Dragon, .etc) drop this sort of TCP packet. If they did not, it could be used for insertion. On the insertion side, NIDS that are not aware of the MTU for a network, (like in front of a VPN) don't know if a packet of 1500 bytes will get fragmented or not. If you mark such a packet with the 'Dont Fragment' bit, the NIDS may pick up something that never makes it to the target. I've heard rumors of some NIDS-bypass tools that scan a target network to determine MTU to various target IPs, and then launch specific attacks intermixed with bogus traffic that gets dropped in front of the VPN or whatever device causing the small MTU. Ron Gula, CTO Tenable Network Security http://www.tenablesecurity.com
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- TCP checksums; was Re: A new TCP/IP blind data injection technique? (on bugtraq) Marius Huse Jacobsen (Dec 15)
- Re: TCP checksums; was Re: A new TCP/IP blind data injection technique? (on bugtraq) Ron Gula (Dec 15)
- Re: TCP checksums; was Re: A new TCP/IP blind data injection technique? (on bugtraq) Rahul (Dec 16)
- Re: TCP checksums; was Re: A new TCP/IP blind data injection technique? (on bugtraq) Ron Gula (Dec 15)