[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TCP small fragments

To: "Vishwas Manral" <Vishwas@sinett.com>
Subject: Re: TCP small fragments
From: Merike Kaeo <kaeo@merike.com>
Date: Thu, 24 Feb 2005 14:29:14 -0800
Cc: <opsec@ops.ietf.org>, "Vern Paxson" <vern@icir.org>, "pmrn" <pmrn@mac.com>
In-reply-to: <BB6D74C75CC76A419B6D6FA7C38317B262901A@sinett-sbs.SiNett.LAN>
References: <BB6D74C75CC76A419B6D6FA7C38317B262901A@sinett-sbs.SiNett.LAN>

In the survey document on current operational security practices there is a section entitled 'Denial of service Tracking and Tracing' which is not yet written but the intent was to include mechanisms which are used to deal with DoS attacks. It is my intent to include some specific protocol-related information (that is known and commonly a problem). I have no issue with another paper being written which may be more detailed but some information will be included in what I'm writing.

- merike

On Feb 24, 2005, at 3:27 AM, Vishwas Manral wrote:

Hi Vern/ folks,
I have been looking at the documents being produced by the opsec group.
I could not find a comprehensive document which lists down security
mechanisms to deal with TCP related threats, in the IETF itself. Did I
miss out anything?
Would it be helpful to work on a document "TCP Operational Security Current Practices", including mechanisms to deal with attacks like small fragments, XMAS/NULL/FIN scans, sequence number attacks etc? We could probably point to already existing RFC's where necessary. Any other takers?

Thanks, Vishwas -----Original Message----- From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On Behalf Of Vern Paxson Sent: Thursday, February 24, 2005 2:15 PM To: pmrn Cc: opsec@ops.ietf.org Subject: Re: TCP small fragments
But, the crud can be baselined and thresholded and alarmed when such
crud exceeds a certain threshold. With Bro, isn't possible to define
such thresholds in the policy engine and the weird module. Of course,
one has to gain prior knowledge of the network.
While Bro makes this sort of thresholding easy to express, its utility
is
low, as Steve noted in his follow-on message.  Many attacks that are
similar
to crud don't significantly increase the volume of the crud, they're
just
one more instance among dozens of (benign) others.  So the threshold
doesn't
help in detecting their presence.
I have read your paper, as a matter of fact, I have read all your
papers and they are immensely helpful to me in understanding many
security issues.
Highly gratifying to hear, thanks!
		Vern

References:
- RE: TCP small fragments
  - From: "Vishwas Manral" <Vishwas@sinett.com>

Prev by Date: RE: TCP small fragments
Next by Date: OPSEC WG -- agenda for Minneapolis, Wed at 1pm
Previous by thread: RE: TCP small fragments
Next by thread: Re: TCP small fragments
Index(es):
- Date
- Thread