[unisog] UDP fragments anyone?
cmgreen at uab.edu
Wed Feb 21 15:17:48 GMT 2007
> -----Original Message-----
> On Wed, 21 Feb 2007 08:17:15 +1300, Russell Fulton said:
> > any tools worth their salt will reassemble packets *before*
> > the contents and will flag overlapping fragments.
> The fun starts when the tool and the destination system don't handle
> some "should not happen" corner cases the same way. Most notably,
> overlapping fragments -
I spent way more time than one should dealing with bugs surrounding that
intractable problem. The OpenBSD guys got it right a long time ago when
pf started scrubbing traffic. Ideally, you normalize all your border
fragmented traffic and set a minimum TTL that you'll accept across your
I think it's sad that IDS has been dealing with that problem around a
decade. Evading at the application layer is so much easier and less
likely to set off big 'goofy traffic' alarm bells.
More information about the unisog