Intrusion Detection Systems mailing list archives
RE: RE: sequence No.
From: "Bill Royds" <broyds () home com>
Date: Thu, 10 May 2001 21:22:52 -0400
Archive: http://msgs.securepoint.com/ids FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html HELP: Having problems... email questions to ids-owner () uow edu au NOTE: Remove this section from reply msgs otherwise the msg will bounce. SPAM: DO NOT send unsolicted mail to this list. UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au ----------------------------------------------------------------------------- The situation should be that bad routers will also mangle the checksum (despite its feeble uniqueness) so mangled packets would be rejected anyway. You would only be building the state for packets with valid information in headers and valid checksums. Any packets from a broken router should be rejected out of hand anyway, without worrying about whether they are fragments or not. Of course this depends on checksums being a good parity check, which they really aren't, but it is al we have for IPv4. -----Original Message----- From: Jeff Nathan [mailto:jeff () wwti com] Sent: Thursday, May 10, 2001 16:26 To: Bill Royds Cc: Martin Roesch; Greg Shipley; ids () uow edu au Subject: Re: IDS: RE: sequence No. I've been thinking this over and I'm wondering if some of this isn't jumping the gun. Yesterday during a discussion, someone mentioned to me the one thing we have been overlooking. That being, bad hardware can effect all of this! A broken router between any two end points could corrupt any portion of the raw byte stream it's looking at. At a real nitty gritty level it doesn't really know about IP, etc.. It might mangle a random byte or even a few bytes such that an overlap could occur. Also, to a degree, it bothers me that a border device would be designed to violate the RFC standard for handling new fragments w/ overlap. I understand what you're getting at, and in the case of a gateway device that does the work of a firewall but through IDS mechanisms, it would of course make decisions on what traffic got through and what didn't get through. I think that ideally, a gateway device that had both firewall and IDS functionality would defragment everything properly at the gateway, etc. A simple border device might handle overlaps but what about overlaps w/ options? :P -Jeff
Current thread:
- Re: RE: sequence No. Jeff Nathan (May 10)
- transport scrubbing Dug Song (May 11)
- <Possible follow-ups>
- Re: RE: sequence No. Jeff Nathan (May 10)
- RE: RE: sequence No. Bill Royds (May 11)