[Bro-Dev] ipv6 fragment reassembling
Gregor Maier
gregor at majordomus.org
Thu Feb 23 15:20:32 PST 2012
On 2/22/12 17:11 , Seth Hall wrote:
> Here is a great article about ipv6 fragment handling.
>
> http://blog.si6networks.com/2012/02/ipv6-nids-evasion-and-improvements-in.html
>
> The article concludes by point out that it looks like the IETF is converging on RFCs that forbid overlapping fragments which should make fragment reassembly much clearer for us. Current operating systems are of course all over the map in terms of what they actually support of course. :)
I don't get what all this fuss is about. IPv4 has exactly the same issues.
Even with a "standard" way of handling overlaps the IDS has no way of
knowing if the monitored systems actually implement the standard
correctly. So you are still in the same position you were before. And if
it's not fragments that you can still have overlapping TCP segments,
TTL-tuning, hiding ports in subsequent fragments, etc., etc.)
cu
Gregor
More information about the bro-dev
mailing list