Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 20 Jun 2025 10:03:19 +0000
From:      bugzilla-noreply@freebsd.org
To:        net@FreeBSD.org
Subject:   [Bug 287229] IP reassembly issue in FreeBSD 14.1
Message-ID:  <bug-287229-7501-n8aHsUtONg@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-287229-7501@https.bugs.freebsd.org/bugzilla/>
References:  <bug-287229-7501@https.bugs.freebsd.org/bugzilla/>

next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D287229

--- Comment #24 from Lucas Aubard <lucas.aubard@irisa.fr> ---
(In reply to Michael Tuexen from comment #18)
Thanks for the details!

We are currently working on Network Intrusion Detection Systems (NIDS) evas=
ion
with overlapping IP fragments or TCP segments.=20
Some NIDSes (Suricata, Snort) propose configuring their IP and TCP reassemb=
lies
based on the supervised host OSes as an evasion countermeasure to
overlapping-based attacks. In that context, we test OSes (and other stacks)=
 to
obtain and describe their reassembly policies so NIDSes can implement and
propose them.
>From a NIDS perspective, OS reassembly consistency is thus quite important.
We recently wrote a paper on that subject https://arxiv.org/pdf/2504.21618
(that will appear at DIMVA'25) if you want more details.

The 40 processes do not correspond to any particular real situation I would=
 try
to reproduce. As I mentioned, I test OS VMs simultaneously if possible, and=
 40
processes is a good tradeoff between the time it takes for the entire
experiment to finish and the number of VMs I can run in parallel.

--=20
You are receiving this mail because:
You are on the CC list for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-287229-7501-n8aHsUtONg>