[Bro] Overlaps Question
Vern Paxson
vern at icir.org
Thu Aug 21 20:12:22 PDT 2008
> I have a question on overlaps - TCP segment overlaps and IP fragments
> overlap - how common they are
> and how legitimate?
TCP segment overlaps are, surprisingly, quite common. We discuss this
in a recent paper of ours:
Efficient and Robust TCP Stream Normalization
M. Vutukuru, H. Balakrishnan and V. Paxson
Proc. IEEE Symposium on Security and Privacy, May 2008
http://www.icir.org/vern/papers/tcpnorm-oak08.pdf
Fragment overlaps definitely occur too, though the ones I've tracked down
(not many) have been due to holding fragments for a long time and the IP
ID counter rolling over (producing a new set of fragments with the same ID).
I don't know how often they occur within the fragment reassembly time window.
Vern
More information about the Bro
mailing list