Enterasys Intrusion Prevention System Manual page 68

Configuring the Network Layer Module
21. Specifying a value for Small Fragment Offset tells the Network Sensor to alert on any IP
fragment offset that is larger than 0 but smaller than the specified byte length.
There are several tools available that will automatically fragment traffic for a hacker. Many of
these tools generate fragments with small payloads. These payloads of 24, 16 or even 8 bytes
seldom occur naturally. They are a good indication that someone may be performing a denial
of service attack on your network or attempting to bypass a packet-based intrusion detection
system. If the fragments are all of an offset of 1, this is a common signature of a fragmented
port scan.
The offset value is specified in fragmented units, which means that a value of 1 translates to
eight bytes. Values of 16 and 24 are good choices. The default value is 32.
22. Specifying a value for Max MTU Size (Bytes) (in bytes) tells the sensor to drop any IP packet
to the protected network that has the don't fragment (DF) bit set and is larger than this
specified value. For example, suppose a Network Sensor is in front of a network segment with
an MTU of 1300 bytes, possibly a VPN. If a packet destined for the WWW server shows up
with a size of 1350 bytes and its don't fragment bit set, the border device will drop the packet
and probably issue an ICMP fragmentation needed message. If the sensor is not aware of this
topology issue, it may incorrectly pick up that packet and become confused, especially if this
packet was crafted to look like it was part of an ongoing attack session.
You should specify a value equal to the maximum segment size (MSS) of your network.
Packets that are larger will require fragmentation. The default, and maximum, value is 1500
bytes.
23. Selecting the Log Max MTU Events option tells the sensor to log Max MTU events.
24. Selecting Favor Old tells the Network Sensor to favor old data when it receives overwriting
data.
When IP fragments are reassembled, it is possible for a hacker to generate traffic that
overwrites itself. Imagine a single packet split into two fragments. If a hacker sends the first
fragment, followed by a fake first fragment, some operating systems will keep the original
data while others will believe the second fake fragment. This discrepancy can be used to
confuse a network sensor.
Windows NT and Solaris systems tend to keep the data in the first few packets and discard
any overwriting data. Other systems, such as Linux, Irix, and HP-UX, favor new data. You can
choose to favor old data on the system.
An alert titled [FRAG-OVERLAP] is generated during IP fragmentation reconstruction if
overlapping data is detected. This may indicate that a network problem has occurred or that a
malicious user is attempting to bypass the packet-based IDS system or the firewall.
All networks tend to have overwriting IP fragments that result from corrupted packets and
broken equipment. An analysis of the overwritten data and the subsequent packets from the
IP addresses involved should be conducted for each event of this type. If the data is very
random or seems like garbage, it is fairly safe to ignore these events. On the other hand if the
event is web traffic, email traffic or something that is recognizable, some time should be
invested to discern the nature of the event. In most cases, the responses from the target will
not be fragmented and can be used to provide some clue as to what is happening.
25. Click Commit to add your changes to the policy being configured.
2-38 Creating Network Sensor Policies