RE: Re: TCP segments with overlapping data

["Schouten, Diederik (Diederik)" <dschout () lucent com>]

> Tcp overlapping reported by IDS is not any issue at all , am I right ?

TCP Overlap Data
Type: Suspicious Activity

Console Name: TCP_Overlap_Data

Technical description: Data in TCP connections is broken into packet-sized
segments for transmission. The target host must reassemble these segments
into a contiguous stream to deliver it to an application. The TCP/IP
specifications are not clear on what should happen if segments representing
interpret such data. This type of traffic should never happen naturally on a
network, but it has been observed in conjunction with malfunctioning network
equipment.

Why this is important: By deliberately constructing connections with
overlapping but different data in them, attackers can attempt to cause an
intrusion detection system or other network monitoring tool to misinterpret
the intent of the connection. This can be used to deliberately induce false
positives or false negatives in a monitoring tool.

False positives: This signature is not itself an attack, but in conjunction
with other activity is either evidence of malicious intent or of egregiously
malfunctioning network equipment.

Systems affected: Any system running TCP.

How to remove this vulnerability: No vulnerability to remove.

  
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards