Originally posted on http://pauldotcom.com/2009/08/tcp-frament-evasion-attacks.html By: Mark Baggett I recently read a very good article on tuning Snort's Stream5 preprocessor to avoid "TCP Fragment Overlap" attacks. It's a great article, but the wording confused me. I thought to myself, "TCP Fragments, that must be a mistake. The TCP Header doesn't have a 'more fragments bit', a 'fragment offset' or anything to support fragmentation. How can there be any TCP fragments?" Typically when we talk about fragmentation attacks we think about Layer 3 attacks. Attackers manipulate the IP packet headers to pull off various insertion and evasion attacks. Examples of layer3 attacks include overlapping fragment attacks and temporal evasion (host reassembly timeout evasion). These attacks are explained pretty well in an article titled "Evading NIDS, revisited" . So what is TCP or Layer 4 "fragmentation"? Really, its ov
This is a collection of Articles, Tools, Conference talks, interviews, etc by Mark Baggett