Hello and Greetings !
I have a question on overlaps - TCP segment overlaps and IP fragments
overlap - how common they are
and how legitimate?
AFAIK, TCP segmentation overlaps can be seen in normal traffic and by
themselves cannot be deemed
malicious.
Is IP fragmentation overlap abnormal always? What is a scenario when
this can happen in a normal scenario?
Thanks in advance for the reply !
I have a question on overlaps - TCP segment overlaps and IP fragments
overlap - how common they are
and how legitimate?
TCP segment overlaps are, surprisingly, quite common. We discuss this
in a recent paper of ours:
Efficient and Robust TCP Stream Normalization
M. Vutukuru, H. Balakrishnan and V. Paxson
Proc. IEEE Symposium on Security and Privacy, May 2008
http://www.icir.org/vern/papers/tcpnorm-oak08.pdf
Fragment overlaps definitely occur too, though the ones I've tracked down
(not many) have been due to holding fragments for a long time and the IP
ID counter rolling over (producing a new set of fragments with the same ID).
I don't know how often they occur within the fragment reassembly time window.
Vern