bro: defragmentation
Ashley Thomas
athomas at unity.ncsu.edu
Sat Apr 13 16:05:26 PDT 2002
If we have a user-controllable timeout, will that be a timeout
for the whole datagram to reassemlbed
(ie within that 'N' secs all the fragments should be reassemled)
OR
will the timer be started again if we get another fragment within that
'N' secs.
-ashley
On Thu, 7 Feb 2002, Vern Paxson wrote:
> > How long does Bro keep ip-fragments ?
>
> Forever.
>
> This isn't great - clearly there should be a user-controllable timeout.
> However, if you set the timeout too low, then you become vulnerable to an
> evasion attack. It's not clear what's a safe timeout value (some stacks
> might use a fixed-size buffer, say, and ignore implementing a timer at
> all). A project I'm working on with a student (Umesh Shankar) may wind
> up assessing this further.
>
> If someone wants to add a user-controllable timeout, that would be great.
>
> Vern
>
More information about the Bro
mailing list