Intrusion Detection Systems mailing list archives

Re: Mod FWD

From: "Marcus J. Ranum" <mjr () nfr net>
Date: Wed, 06 Sep 2000 10:22:35 -0400

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Jackie Chan wrote:

Not to argue with Marcus, but his quote of the fragmented attack going
"unseen" is not totally correct.  It is true that without packet
reassembly one cannot correctly identify the type of attack that is taking
place, however most IDS's that do not execute packet re-assembly DO
alert on the fact that it saw fragmented packets, and from which source IP
they originated from.



I stand by my original statement. ;)

If an IDS can't tell the difference between an attack and "normal"
traffic, then I think it's safe to say that the attack was "unseen."
While it's not entirely normal for packets to get fragmented oddly,
it's certainly possible that packets will get re-ordered (as a result
of lossage through a congested router, followed by retransmits). So
the IDS would be generating alarms that indicated unknown and
unspecified attacks in legitimate traffic. That'd suck really
badly. Worse, a prankster could use something like fragrouter to
cause the IDS to alert unspecified attacks against normal traffic,
and the only way the IDS admin would be able to tell what was
real and what was not would be to manually reassemble the packets
and see. That'd suck really really badly. If an IDS can't do
reassembly, it's better off not doing anything at all.

By the way, are there still IDS out there that don't do TCP
reassembly and defragmentation? It's the 21st century, now,
surely we've gotten past the basics! ;)

mjr.
-----
Marcus J. Ranum
Chief Technology Officer, Network Flight Recorder, Inc.
Work:                  http://www.nfr.net
Personal:              http://www.ranum.com

Current thread:

Re: Mod FWD Marcus J. Ranum (Sep 06)
- Re: Mod FWD Jackie Chan (Sep 06)
  - Re: Mod FWD Marcus J. Ranum (Sep 06)
    - Re: Mod FWD Jackie Chan (Sep 06)
    - Re: Mod FWD Keiji Takeda (Sep 07)
    - Re: Mod FWD mark . teicher (Sep 07)
    - Re: Mod FWD Dragos Ruiu (Sep 08)
    - Re: Mod FWD mark . teicher (Sep 08)
    - Re: Mod FWD Keiji Takeda (Sep 08)
    - Re: Mod FWD Richard Jones (Sep 08)
    - Re: Mod FWD Jackie Chan (Sep 08)
    - Re: Mod FWD Marcus J. Ranum (Sep 08)
  - Message not available
    - Re: Mod FWD Marcus J. Ranum (Sep 06)

(Thread continues...)