Firewall Wizards mailing list archives

Re: Important Comments re: INtrusion Detection

From: Darren Reed <darrenr () cyber com au>
Date: Sat, 21 Feb 1998 17:20:41 +1100 (EST)

In some mail I received from tqbf () secnet com, sie wrote


First off, a nit: overlapping fragments with inconsistant data are never
going to be the valid output of a TCP/IP stack. I don't know that the same
is true of all overlapping fragments. I used to be comfortable making
claims like "this will never happen", but then I learned about Vern
Paxson's work, and now I try to be more careful.


Wrong.  If you have asymetrical routing and different MTU's on each route
then it is possible.  Oh, it also requires path MTU discovery to be off.

Darren

Current thread:

Re: Important Comments re: INtrusion Detection, (continued)
- - - Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 19)
  - Re: Important Comments re: INtrusion Detection Jonathan Care (Feb 19)
- Re: Important Comments re: INtrusion Detection Michael T. Stolarchuk (Feb 19)
- RE: Important Comments re: INtrusion Detection Kurt Ziegler (Feb 19)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 19)
- Re: Important Comments re: INtrusion Detection Barney Wolff (Feb 20)
  - Re: Important Comments re: INtrusion Detection Aleph One (Feb 20)
  - Re: Important Comments re: INtrusion Detection marc (Feb 20)
- Re: Important Comments re: INtrusion Detection Barney Wolff (Feb 20)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 20)
  - Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)
    - Re: Important Comments re: INtrusion Detection tqbf (Feb 21)
    - Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)
- Re: Important Comments re: INtrusion Detection Vern Paxson (Feb 21)