Well, i'm trying to realize tear drop atack packet filtering based on the eBPF and xdp driver. And i dont know how to do it... Is it possible to detect ipv4 fragment overlaping by using these instruments?
Asked
Active
Viewed 311 times
1 Answers
1
If my understanding is correct, you only need to be able to remember the size and offset of IP fragments to detect such attacks. You can do that using a BPF map.
pchaigno
- 11,313
- 2
- 29
- 54
-
but how can i remember N fragments for only one 'full' packet, when ebpf filter millions of different fragmented packets? – Ivan Kamynin Mar 13 '20 at 10:21
-
Do you mean how to associate a given fragment to its full packet? Isn't that what the identification field of the IPv4 header is for? – pchaigno Mar 13 '20 at 10:52