Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > IDS-list> 1999-q4

IDS Archives: Re: IDS: Fragmentation Question

Re: IDS: Fragmentation Question

Dug Song (dugsongmonkey.org)
Thu, 14 Oct 1999 09:50:01 -0400 (EDT)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Meritt, Jim: "RE: IDS: Pricing Intrusions"
Previous message: Robert Graham: "Re: IDS: RE: detecting a sniffer remotely"
Next in thread: Lister, Justin: "Re: IDS: Fragmentation Question"
Next in thread: Greg Shipley: "Re: IDS: Fragmentation Question"
Reply: Greg Shipley: "Re: IDS: Fragmentation Question"

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
---------------------------------------------------------------------------

--- On Wed, 13 Oct 1999, Greg Shipley wrote:

> Okay, assuming that Dragon and NFR are the only two Network-based > Intrusion Detection systems that do packet re-assembly

they're not. a few other products which had new versions released recently (perhaps not-so-coincidentally after fragrouter's release) now do some level of reassembly.

> 1. Deny all fragments into the network. I see this is a bad idea

you're right. :-)

additionally, IDSs that alert on "short" frags (< 128 bytes) need to be careful, because these are often just trailing last fragments (which also do not have to be a multiple of 8 bytes in length).

> 2. Have some perimeter device re-assemble fragmented packets BEFORE they > get to the IDS.

this is the point of Vern Paxson's traffic normalizer, presented at the last RAID conference. his normalizer helps offload some of the work (checksum verification, etc.) from the IDS behind it, as well as actively rewriting some fields (e.g. TTL) to try to resolve ambiguity.

IP fragmentation is only one attack. there are also many TCP-based attacks (e.g. segment reordering, overlap, etc.) you have to account for by doing session reassembly, and even then you can be attacked (e.g. all kinds of desynchronization attacks, insertion attacks based on sequence numbers just outside the window, etc.).

-d.

---
http://www.monkey.org/~dugsong/

Next message: Meritt, Jim: "RE: IDS: Pricing Intrusions"
Previous message: Robert Graham: "Re: IDS: RE: detecting a sniffer remotely"
Next in thread: Lister, Justin: "Re: IDS: Fragmentation Question"
Next in thread: Greg Shipley: "Re: IDS: Fragmentation Question"
Reply: Greg Shipley: "Re: IDS: Fragmentation Question"

This archive was generated by hypermail 2.0b3 on Thu Oct 14 1999 - 19:04:10 CDT