[unisog] UDP fragments anyone?

Chris Green cmgreen at uab.edu
Wed Feb 21 15:17:48 GMT 2007


> -----Original Message-----
> On Wed, 21 Feb 2007 08:17:15 +1300, Russell Fulton said:
> 
> > any tools worth their salt will reassemble packets *before*
examining
> > the contents and will flag overlapping fragments.
> 
> The fun starts when the tool and the destination system don't handle
> some "should not happen" corner cases the same way. Most notably,
> overlapping fragments - 

I spent way more time than one should dealing with bugs surrounding that
intractable problem.  The OpenBSD guys got it right a long time ago when
pf started scrubbing traffic. Ideally, you normalize all your border
fragmented traffic and set a minimum TTL that you'll accept across your
border.

I think it's sad that IDS has been dealing with that problem around a
decade.  Evading at the application layer is so much easier and less
likely to set off big 'goofy traffic' alarm bells.



More information about the unisog mailing list