Endpoint Protection

 View Only
  • 1.  IP Fragmentation Overlap

    Posted Nov 23, 2011 05:00 PM
    good

    Currently I have the following network events in some equipment and the traffic is blocked.
    as indicated in the attachment.

    I can tell if it is a false positive, the computers that is appearing is version 12 of Symantec
     
    Denial of Service "IP Fragmentation Overlap" attack detected. Description: An IP Fragmentation Overlap attack exploits IP's packet reassembly feature by creating packet fragments with overlapping offset fields, making it impossible for your system to reassemble the packets properly.


  • 2.  RE: IP Fragmentation Overlap

    Posted Nov 23, 2011 05:28 PM

    Could you Disable Network threat protection and see if that helps?



  • 3.  RE: IP Fragmentation Overlap

    Posted Nov 23, 2011 05:29 PM

    Are you using Symantec Network Acess control ?



  • 4.  RE: IP Fragmentation Overlap

    Posted Nov 23, 2011 05:39 PM

    Please do not disable NTP .

    If i am not wrong this is what you are looking for and IDS is unable to drop the packet .

     

    The IDS doesn't fire an alarm because the IDS simply didn't get the packet. The most obvious example of this sort of attack is the leverage of IP Fragmentation and Overlapping TCP Segments. A few years ago, this method was highly effective against network IDS systems. Even today, these old school techniques can be effective.

    Now stop and think for a minute - the stranger the packets that we send, the more an IDS system has to work to reconstruct them. For every exception - the 'perfect' IDS has to make the assumption that a packet could have been dropped by the target. The IDS must maintain two states for every packet - accepted and dropped. For every packet, this doubles the number of states that the IDS must follow. For every duplicate or replay packet, the IDS must account for 1/2 again the current load. For an IDS of this nature to even watch for a 10 character signature would require a great deal of memory. Assuming single byte packets, the IDS would need 10K of memory just to watch this one session. If my signature is 11 bytes long, the figure doubles to 20K - exponentially increasing in size for each byte thereafter! This is compounded by the fact that the smaller the packets are, the more possible permutations of state. As we halve the size of each packet, we double the required size of the IDS buffers. Clearly this is impossible, considering both that the signatures are most likely larger than 10 characters, and that there are close to 80 web hits a seconds going over our network. What's the point? There is no such thing as a 'perfect' IDS

     

    https://www-secure.symantec.com/connect/articles/multiple-levels-de-synchronization-and-other-concerns-testing-ids-system



  • 5.  RE: IP Fragmentation Overlap

    Posted Nov 23, 2011 05:41 PM

    This usually happens in DOS attack scenario there are MS Patches which needs to be implemeted , kindly reach support to get assistance .