SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsOverlapping IP fragments can be used by attackers to hide nefarious intentions from intrusion detection system and analysts. Operating systems give preference to overlapping fragments based upon either the position in the packet or the time of arrival. As a result fragmented packets might be reassembled in one of five different ways. If the IDS or the analyst do not reassemble the packets the same way as the target host, an attack may succeed and go undetected. While some intrusion detection systems have techniques for dealing with these attacks there are few tools available to the analyst to look inside the reassembly process and try to understand the attacker's intent. This paper will explore how an analyst can use scrapy to reassemble the fragmented attack packets in a similar manner to Linux, Windows, Macintosh, Cisco routers and other operating systems to see how each operating system would interpret the fragmented packets.
SANS Faculty Fellow Mark Baggett authored SEC573, SEC673, and SEC406, leads as CTO of the SANS Internet Storm Center, and empowers defenders to automate security through practical, real-world application.
Read more about Mark Baggett