[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TCP small fragments



But, the crud can be baselined and thresholded and alarmed when such crud exceeds a certain threshold. With Bro, isn't possible to define such thresholds in the policy engine and the weird module. Of course, one has to gain prior knowledge of the network.

I have read your paper, as a matter of fact, I have read all your papers and they are immensely helpful to me in understanding many security issues.


On Feb 22, 2005, at 3:21 AM, Vern Paxson wrote:

The point I was trying to make is that it is a malformed
packet and IMHO, all malformed packets are suspicious.

This is a nice theory, but unfortunately fails in practice. See the section
"Crud Seen on a DMZ" in my paper on Bro ("Bro: A System for Detecting Network
Intruders in Real-Time", http://www.icir.org/vern/papers/bro-CN99.html),
where, among other sorts of weird-but-benign traffic, I mention:

* IP fragments in which the initial fragment is very small and the
final fragment is large. Such fragments can be used to attempt
to circumvent firewalls and monitors that do not do fragment
reassembly.

These had the TCP header split across two fragments. They were sent by
Cray supercomputers, I believe - for no good reason, and apparently due to
problems with MTU determination in the presence of TCP options. So, yes,
these reflect something broken, but the problem is that in a large-scale
operational environment there is a *lot* of such crud, so you generally
can't afford to alarm on it.

Vern

Pall Ramanathan
Work: 678-9359670
Mobile: 678-576-7105

www.amalannetworks.com


Learn like you will live for ever and Live like you will die tomorrow-Gandhi