×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Conditions to detect "IP Fragment Attack" (Signature ID 1100)

Unanswered Question
Aug 23rd, 2002
User Badges:

Hi

I want to examin whether some OSs have an endurance against

"IP Fragment Attack" (Signature ID:1100), and want to detect

the psudo-attack by SecureIDS 4210 (3.1(2)S29).


In NSDB, it is described that the trigger of

"IP Fragment Attack" is IP datagram with an offset value

less than 5 but greater than 0 indicated in the offset field.

So I tried a network tool able to send custom IP packets,

but the psude-attack was not detected.

(I tried hping2, http://www.hping.org.)


Are there any conditions set as datagram in addition to

an offset value to detect "IP Fragment Attack" ?

And, is detectable datagram generable,

if which tool is used and which options are set up?


Thank you.


Chiaki Hanyu

NTT DATA SECURITY CORPORATION, Japan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion