IP fragment data changed
advICE :Intrusions : 2000025

Summary

Denial of Service attempt.

Details

A difference in the data within 2 overlapping IP fragments has been observed. This technique is used in a broad range of Denial of Service attacks. Your operating system may become unstable or crash. A hacker may also be attempting to trick your system into accepting the hacker's data rather than the original user's data.

Defense

Fixes are available for most operating systems - consult your operating system vendor for more information, or look at the CERT and Microsoft Advisories on this subject. Note that just because somebody is sending these packets at your system doesn't mean it will crash. Newer systems are probably not vulnerable to this attack.

In order to prevent the sensor from being confused by overlapping fragments, it may be necessary to tell the sensor on a per-host basis whether to favor the new fragments, or to favor the old.

Trigger

This is a "state-based" signature. It remembers IP fragments. When new fragments come in with data that disagrees with previous fragment, this alert triggers. It may be part of an "evasion" attempt: attackers can try to fool the sensor into misinterpreting the data this way.

parametric information expected The expected value of the fragment offset. offset The actual value of the fragment offset. length The length of the fragment.

configuration for this item ip.favornewdata on/off if on, new data is favored over old data; this option is off by default

 
Version appeared: 2.5