[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TCP small fragments

To: pmrn <pmrn@mac.com>
Subject: Re: TCP small fragments
From: Vern Paxson <vern@icir.org>
Date: Tue, 22 Feb 2005 00:21:04 -0800
Cc: opsec@ops.ietf.org
In-reply-to: Your message of Wed, 16 Feb 2005 12:03:39 EST.

> The point I was trying to make is that it is a malformed 
> packet and IMHO, all malformed packets are suspicious.

This is a nice theory, but unfortunately fails in practice.  See the section
"Crud Seen on a DMZ" in my paper on Bro ("Bro: A System for Detecting Network
Intruders in Real-Time", http://www.icir.org/vern/papers/bro-CN99.html),
where, among other sorts of weird-but-benign traffic, I mention:

	* IP fragments in which the initial fragment is very small and the
	  final fragment is large.  Such fragments can be used to attempt
	  to circumvent firewalls and monitors that do not do fragment
	  reassembly.

These had the TCP header split across two fragments.  They were sent by
Cray supercomputers, I believe - for no good reason, and apparently due to
problems with MTU determination in the presence of TCP options.  So, yes,
these reflect something broken, but the problem is that in a large-scale
operational environment there is a *lot* of such crud, so you generally
can't afford to alarm on it.

		Vern

Follow-Ups:
- Re: TCP small fragments
  - From: pmrn <pmrn@mac.com>

Prev by Date: RE: XMAS and NULL
Next by Date: Re: TCP small fragments
Previous by thread: RE: TCP small fragments
Next by thread: Re: TCP small fragments
Index(es):
- Date
- Thread