Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Jeff Nathan (jeffwwti.com)
Date: Tue Jul 17 2001 - 14:17:27 CDT
> Most of the testing methodologies will fragment all the traffic including
> the normal traffic.
> I guess the IDS which is properly defragmenting all the traffic will
> definately start dropping packets because of such a heavy load.
> Thats why in my test the traffic was NOT fragmented, only the ATTACK was.
> I guess in most of the cases the normal traffic won't be highly
> fragmentated. But I don't think the attacker is going to send the packets
> this way.
> By highly fragment the attack packets one will get a fair idea which IDS
> is not properly defragmenting [ or may not be even detecting such packets ].
> If you can evade the IDS by simply fragmenting then there must be
> something wrong with the analysis engine.
> I have not taken the presentation my MJR, but highly impressed with NFR.
Before we start arguing what is and what isn't fragmented, it's
important to spend a minute and think about what sort of links are
between you and and end point. If there are ATM links between you and
an end point, you can expect fragmentation.
-- http://jeff.wwti.com (pgp key available) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein