bro: defragmentation

Vern Paxson vern at
Thu Feb 7 23:46:59 PST 2002

> How long does Bro keep ip-fragments ?


This isn't great - clearly there should be a user-controllable timeout.
However, if you set the timeout too low, then you become vulnerable to an
evasion attack.  It's not clear what's a safe timeout value (some stacks
might use a fixed-size buffer, say, and ignore implementing a timer at
all).  A project I'm working on with a student (Umesh Shankar) may wind
up assessing this further.

If someone wants to add a user-controllable timeout, that would be great.


More information about the Bro mailing list