Hi Vern/ folks,
I have been looking at the documents being produced by the opsec group.
I could not find a comprehensive document which lists down security
mechanisms to deal with TCP related threats, in the IETF itself. Did I
miss out anything?
Would it be helpful to work on a document "TCP Operational Security
Current Practices", including mechanisms to deal with attacks like
small
fragments, XMAS/NULL/FIN scans, sequence number attacks etc? We could
probably point to already existing RFC's where necessary. Any other
takers?
Thanks,
Vishwas
-----Original Message-----
From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On Behalf Of
Vern
Paxson
Sent: Thursday, February 24, 2005 2:15 PM
To: pmrn
Cc: opsec@ops.ietf.org
Subject: Re: TCP small fragments
But, the crud can be baselined and thresholded and alarmed when such
crud exceeds a certain threshold. With Bro, isn't possible to define
such thresholds in the policy engine and the weird module. Of course,
one has to gain prior knowledge of the network.
While Bro makes this sort of thresholding easy to express, its utility
is
low, as Steve noted in his follow-on message. Many attacks that are
similar
to crud don't significantly increase the volume of the crud, they're
just
one more instance among dozens of (benign) others. So the threshold
doesn't
help in detecting their presence.
I have read your paper, as a matter of fact, I have read all your
papers and they are immensely helpful to me in understanding many
security issues.
Highly gratifying to hear, thanks!
Vern