IDS mailing list archives

Re: tcp overlap

From: "Thomas H. Ptacek" <tqbf () pobox com>
Date: Wed, 15 Jan 2003 16:36:14 -0500

On 1/13/03 2:16 PM, "fr0ck9" <fr0ck9 () yahoo com> wrote:

I know Thomas Ptacek from Secure Networks documented
some findings that when an overlap occurs that the
following list of OS respond accordingly.  Has anyone
else verified this or have any insight?


I believe you're referring to the OS-dependant behavior of fragmentation
reassembly that Tim Newsham and I pointed out in our paper, which you can
find at

    http://www.aciri.org/vern/Ptacek-Newsham-Evasion-98.ps

I haven't heard any claims about inaccuracies, although the study does date
back a few years. When we wrote the paper, virtually no IDS even attempted
fragmentation reassembly.

---
Thomas H. Ptacek
Arbor Networks, Inc.

Current thread:

Re: tcp overlap fr0ck9 (Jan 15)
- Re: tcp overlap Jon Gary (Jan 16)
- Re: tcp overlap Thomas H. Ptacek (Jan 20)
- RE: tcp overlap Rob Shein (Jan 28)
  - RE: tcp overlap Umesh Shankar (Jan 29)
  - IDS security testing training Pete Herzog (Jan 29)