IDS mailing list archives
Re: tcp overlap
From: "Thomas H. Ptacek" <tqbf () pobox com>
Date: Wed, 15 Jan 2003 16:36:14 -0500
On 1/13/03 2:16 PM, "fr0ck9" <fr0ck9 () yahoo com> wrote:
I know Thomas Ptacek from Secure Networks documented some findings that when an overlap occurs that the following list of OS respond accordingly. Has anyone else verified this or have any insight?
I believe you're referring to the OS-dependant behavior of fragmentation reassembly that Tim Newsham and I pointed out in our paper, which you can find at http://www.aciri.org/vern/Ptacek-Newsham-Evasion-98.ps I haven't heard any claims about inaccuracies, although the study does date back a few years. When we wrote the paper, virtually no IDS even attempted fragmentation reassembly. --- Thomas H. Ptacek Arbor Networks, Inc.
Current thread:
- Re: tcp overlap fr0ck9 (Jan 15)
- Re: tcp overlap Jon Gary (Jan 16)
- Re: tcp overlap Thomas H. Ptacek (Jan 20)
- RE: tcp overlap Rob Shein (Jan 28)
- RE: tcp overlap Umesh Shankar (Jan 29)
- IDS security testing training Pete Herzog (Jan 29)