On Mon, 2003-12-22 at 09:36, Robert E. Seastrom wrote:
You mean like everyone who's still running TCP/IP over AX.25 in the ham radio community?
I actually thought of this, but only as an end-point which would not generate fragmented packets. I didn't consider that people could be using Linux or what ever to hide an Ethernet network behind the link, which of course would fragment the stream. Looks like I need to drop my threshold to < 500. This is exactly what I needed, thanks!
What are you trying to accomplish by killing off the fragments?
My experience has been that attackers still like to use fragmentation as a method of covering their tracks. No they do not do it all the time, but I've noticed that a lot of the time when I've been able to catch 0-day stuff its fragmented in order to help stealth it. So what I'm looking for is a definable limit to be able to say "a non-last fragment below this size is very likely to be hostile and should be handled accordingly". Running with less than 500 bytes is still cool, as the stuff I've found is always less than 100 bytes. I'm just looking to add as much "slop" as possible to catch what I have not thought of without triggering false positives. So unless someone knows of a case below 500 bytes, I think I'm all set. Thanks for the great feedback. C