Firewall Wizards mailing list archives
RE: Re: TCP segments with overlapping data
From: "Schouten, Diederik (Diederik)" <dschout () lucent com>
Date: Mon, 29 Apr 2002 15:25:32 +0200
Tcp overlapping reported by IDS is not any issue at all , am I right ?
TCP Overlap Data Type: Suspicious Activity Console Name: TCP_Overlap_Data Technical description: Data in TCP connections is broken into packet-sized segments for transmission. The target host must reassemble these segments into a contiguous stream to deliver it to an application. The TCP/IP specifications are not clear on what should happen if segments representing interpret such data. This type of traffic should never happen naturally on a network, but it has been observed in conjunction with malfunctioning network equipment. Why this is important: By deliberately constructing connections with overlapping but different data in them, attackers can attempt to cause an intrusion detection system or other network monitoring tool to misinterpret the intent of the connection. This can be used to deliberately induce false positives or false negatives in a monitoring tool. False positives: This signature is not itself an attack, but in conjunction with other activity is either evidence of malicious intent or of egregiously malfunctioning network equipment. Systems affected: Any system running TCP. How to remove this vulnerability: No vulnerability to remove. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: TCP segments with overlapping data Michael Szie Wee Kwang (Apr 29)
- RE: Re: TCP segments with overlapping data Kowsik Guruswamy (Apr 30)
- <Possible follow-ups>
- RE: Re: TCP segments with overlapping data Schouten, Diederik (Diederik) (Apr 30)