> Are overlapping packets witnessed in the wild ?

Yes. See section 7.3, "Crud seen on a DMZ", of:

        http://www.aciri.org/vern/papers/bro-CN99.html

> Is it quite unusual ?

I'd say on average, at LBL we see a few each day, though that's out of a
large traffic stream.

> Are there somewhat special protocols making use of overlapping
> data at ip or tcp level ?

There shouldn't be any that "make use" of it to try to achieve some effect.
A worry, though, is whether legitimate apps might inadvertantly generate
these, and then you'll terminate their connections unnecessarily. From
my experience, yes, legitimate apps do these sorts of things sometimes,
but they're quite rare.

> <2> mitigate IDS desynchronization and more generally issues with content
> filters

In this context, you might want to check out

        http://www.aciri.org/vern/papers/norm-usenix-sec-01-html/index.html

- Vern

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]