On Sun, Jun 18, 2000 at 02:50:45PM +0200, Mikael Olsson wrote:
> turnere wrote:
> >
> > Buffering of out-of-order
> > segments and proper handling of overlapping TCP segments is also required
> > if a NIDS is to operate in a reliable fashion. SecureNet PRO does all of
> > this.
>
> Just to be really picky and paranoid:
>
> When two TCP segments overlap, how do you know how the receiving host
> will handle them? Will it keep the data in the first segment, or will
> that data be overwritten by the second segment?
> The answer is of course: you can't know.
>
> So how do you handle that situation?
Simple: discard both packets. As IP fragment overlapping is in violation
of the protocol specification, both fragments must be considered corrupt
(since it would be nearly impossible to find out which packet is broken
if not both are). See RFC-791 and 793.
A sufficently secure IP stack on the receiving host should discard
these fragments anyway, so why bother to let em trough?
Overlapping fragments are an indication of eigther a Fragmentation-Attack
or of misconfigured/faulty hosts or gateways.
anyway, logging and dropping of this is always a good idea.
regards,
juergen
--
Juergen P. Meier email: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
