RE: TCP small fragments

["Vishwas Manral" <Vishwas@sinett.com>]

Hi Vern/ folks,

I have been looking at the documents being produced by the opsec group.
I could not find a comprehensive document which lists down security
mechanisms to deal with TCP related threats, in the IETF itself. Did I
miss out anything?

Would it be helpful to work on a document "TCP Operational Security
Current Practices", including mechanisms to deal with attacks like small
fragments, XMAS/NULL/FIN scans, sequence number attacks etc? We could
probably point to already existing RFC's where necessary. Any other
takers?

Thanks,
Vishwas
-----Original Message-----
From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On Behalf Of Vern
Paxson
Sent: Thursday, February 24, 2005 2:15 PM
To: pmrn
Cc: opsec@ops.ietf.org
Subject: Re: TCP small fragments

> But, the crud can be baselined and thresholded and alarmed when such 
> crud exceeds a certain threshold. With Bro, isn't possible to define 
> such thresholds in the policy engine and the weird module. Of course, 
> one has to gain prior knowledge of the network.

While Bro makes this sort of thresholding easy to express, its utility
is
low, as Steve noted in his follow-on message.  Many attacks that are
similar
to crud don't significantly increase the volume of the crud, they're
just
one more instance among dozens of (benign) others.  So the threshold
doesn't
help in detecting their presence.

> I have read your paper, as a matter of fact, I have read all your 
> papers and they are immensely helpful to me in understanding many 
> security issues.

Highly gratifying to hear, thanks!

		Vern