[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: draft-ietf-opsec-current-practices-01.txt

Hi Merike,

Sorry for the late response. 

I just thought we had left out a few basic attacks which could be

Besides there seems to be a document
http://www.ietf.org/internet-drafts/draft-iab-dos-03.txt which talks
about "DoS attacks and mitigation". We could refer to the document too.


-----Original Message-----
From: Merike Kaeo [mailto:merike@doubleshotsecurity.com] 
Sent: Thursday, October 27, 2005 10:28 AM
To: Vishwas Manral
Cc: Opsec
Subject: Re: draft-ietf-opsec-current-practices-01.txt

Hi Vishwas.

I posted a version 02 just in time for deadline which should make it to 
the list any day now.....however, the additions do not address what you 
write below.  Would all of your comments be addressed by adding more 
detail to appendix B and including the info that you list below?  It 
doesn't make sense to list all of the 1000's of vulnerabilities that a 
network IDS system looks for so how best to generalize but add enough 
info to be useful and satisfy most needs?  More comment on that 

- merike

On Oct 26, 2005, at 6:45 AM, Vishwas Manral wrote:

> Hi Merike,
> Going through the document draft-ietf-opsec-current-practices-01.txt,
> figured that we have totally left out things like 'fingerprinting'(is
> that not aimed as part of this document).
> * TCP Xmas flags. All TCP header option flags are set on same
> This is often used to traverse packet filters and to scan hosts to
> detect open ports.
> * TCP zero flags (Null scan). This is often used to scan for open 
> ports.
> etc
> In appendix B you could add: -
> * Overlapping fragments
> * Tiny Fragments
> * TCP timestamp attack
> * ICMP Path MTU spoofing attacks - frag-req
> * oversized ICMP packets (Ping of death) (the name is not put there)
> * What about insertion/evasion attacks where we bypass the IDS
> even when they are present.
> * Application level attacks (worms)
> Thanks,
> Vishwas