[Snort-users] DF and MF
jeff at ...950...
Sat Apr 5 13:57:03 EST 2003
-----BEGIN PGP SIGNED MESSAGE-----
Linux PMTU discovery will set DF on a packet with MF already set. It's
anomalous but the Linux folks tend to disagree. Their current
implementation disregards, specifically, the fact that certain protocols
should not be subject to "optimizations " on behalf of PMTU discovery
(namely NFS). It is by no means trivial to create a more intelligent PMTU
discovery mechanism in Linux, nevertheless it should be done.
Initially it was OpenBSD's packet filter (pf) that was making note of this
anomalous behavior. The Linux folks sarcastically mentioned "These wierd
BSD firewalls are the only systems blocking these packets...". Applying
the term blocking loosely, this is clearly not the case as Snort is the
most widely deployed network intrusion detection technology on the planet
and any well implemented defragmentation logic will consider this anomalous
- --On Tuesday, April 01, 2003 00:20:19 -0800 Clayton Mascarenhas
<masclaythesnort at ...131...> wrote:
> Dear list,
> The DF bit is set when we need to find the PMTU. However my Snort IDS is
> detecting packets to my network that have both the DF as well as the MF
> bit set. When does this scenario happen?? How useful would this be to an
> attacker? Could someone please help me out?
> Do you Yahoo!?
> Yahoo! Tax Center - File online, calculators, forms, and more
http://cerberus.sourcefire.com/~jeff (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)
-----END PGP SIGNATURE-----
More information about the Snort-users