[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TCP small fragments

To: Vishwas Manral <Vishwas@sinett.com>
Subject: Re: TCP small fragments
From: George Jones <eludom@gmail.com>
Date: Wed, 2 Mar 2005 15:56:05 -0500
Cc: Vern Paxson <vern@icir.org>, pmrn <pmrn@mac.com>, opsec@ops.ietf.org
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=PdpGDt7/3YO6smZ87yidCcSdk3I6Tv7RSi7ykLsHrMJ+r8h2DmkA0ZdQM4ITU4RNyCyzKcc95SztCZ5QcYIOGOQGrsYCy9G2NJdpHse4kQp+h/HHeqjRur3Yq3p3f2KNEy7ueykjBLkZ9B5NBLuc5x36BqO2Apbh1yWDsYWIdMc=
In-reply-to: <BB6D74C75CC76A419B6D6FA7C38317B262901A@sinett-sbs.SiNett.LAN>
References: <AcUaT4U35d4LJdIUS8KmiImAkyyC8gAE5URw> <BB6D74C75CC76A419B6D6FA7C38317B262901A@sinett-sbs.SiNett.LAN>
Reply-to: gmj@pobox.com

On Thu, 24 Feb 2005 03:27:20 -0800, Vishwas Manral <Vishwas@sinett.com> wrote:
> Hi Vern/ folks,
> 
> I have been looking at the documents being produced by the opsec group.
> I could not find a comprehensive document which lists down security
> mechanisms to deal with TCP related threats, in the IETF itself. Did I
> miss out anything?

So most of the capabilities documents, esp. filtering/ratelimiting are about
*mechanisms* for doing exaclty that.

> 
> Would it be helpful to work on a document "TCP Operational Security
> Current Practices", including mechanisms to deal with attacks like small
> fragments, XMAS/NULL/FIN scans, sequence number attacks etc? We could
> probably point to already existing RFC's where necessary. Any other
> takers?

Merike's draft is about *practices* (steps taken to enforce policy based on 
precieved or actual threats if you will)

The practices documents will contain some examples, but not exaustive
as justification for the featues....they will also cite the practices document.

Neither is aimed at being an exhaustive list.   

I sugguest you poke around, come up with a list of things you think might
fiit in such a draft, the compare notes with Merike....if there's substantial
overlap, just join forces with her....if not, then the question will be where
to go with it (new draft, whitepaper, etc.)

Thanks,
----George Jones



> 
> Thanks,
> Vishwas
> -----Original Message-----
> From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On Behalf Of Vern
> Paxson
> Sent: Thursday, February 24, 2005 2:15 PM
> To: pmrn
> Cc: opsec@ops.ietf.org
> Subject: Re: TCP small fragments
> 
> > But, the crud can be baselined and thresholded and alarmed when such
> > crud exceeds a certain threshold. With Bro, isn't possible to define
> > such thresholds in the policy engine and the weird module. Of course,
> > one has to gain prior knowledge of the network.
> 
> While Bro makes this sort of thresholding easy to express, its utility
> is
> low, as Steve noted in his follow-on message.  Many attacks that are
> similar
> to crud don't significantly increase the volume of the crud, they're
> just
> one more instance among dozens of (benign) others.  So the threshold
> doesn't
> help in detecting their presence.
> 
> > I have read your paper, as a matter of fact, I have read all your
> > papers and they are immensely helpful to me in understanding many
> > security issues.
> 
> Highly gratifying to hear, thanks!
> 
>                 Vern
> 
>

References:
- RE: TCP small fragments
  - From: "Vishwas Manral" <Vishwas@sinett.com>

Prev by Date: Re: Layer 2 access and Current Practices
Next by Date: Re: Layer 2 access and Current Practices
Previous by thread: Re: TCP small fragments
Next by thread: RE: TCP small fragments
Index(es):
- Date
- Thread