An IDS sensor has been deployed in a Linux system and it is used to monitor a Windows. An attacker likes to avoid detection of the following 24 character string at the IDS while still targeting the Windows system : “thisattackisprettybad”. How this can be done by string fragmentation(3 packets). For simplification purposes, it is possible to fragment datagrams anywhere one may like and also one can specify absolute offers (no 8 – boundary limitation). For each fragments, I need to give the content and the offset. If it is not possible to conduct this attack, then is it possible to explain why not it is possible?
What I know about IDS is that an intrusion detection system (IDS) monitors network traffic and monitors for suspicious activity and alerts the system or network administrator. In some cases the IDS may also respond to anomalous or malicious traffic by taking action such as blocking the user or source IP address from accessing the network.IP fragmentation is the process of breaking up a single Internet Protocol (IP) datagram into multiple packets of smaller size.The IP fragment overlapped exploit occurs when two fragments contained within the same IP datagram have offsets that indicate that they overlap each other in positioning within the datagram. This could mean that either fragment A is being completely overwritten by fragment B, or that fragment A is partially being overwritten by fragment B. Some operating systems do not properly handle fragments that overlap in this manner and may throw exceptions or behave in other undesirable ways upon receipt of overlapping fragments. This is the basis for the teardrop attack. Overlapping fragments may also be used in an attempt to bypass Intrusion Detection Systems. In this exploit, part of an attack is sent in fragments along with additional random data; future fragments may overwrite the random data with the remainder of the attack. I also know that Linux favors new data and Windows favors old data when dealing with the overlapping part of the segment. Based on this on my knowledge I want to find the answer of the following question and what is the explanation for it?
Continue reading What is the IDS overlapping fragmentation attack trying to accomplish? [on hold]→