Hi Paolo,
Possibly, I'm not sure yet. Really depends on the ease of
implementation. A "ratio" of fragmentation might be nice as well. I
don't think there are very good reasons to slice a packet in more than 2
fragments so anything exceeding that might be worthwhile to detect and
analyze.
-
Hi Hidde,
Yes, there is plenty of defragmentation code and you are right that
there is no 'external visibility' into it. I'm curious what you'd have
in mind to give such visibility, a bool like fragmented traffic yes/no
of some sort?
Paolo
On Thu, Nov 09, 2017 at 04:26:37PM +0100, Hidde van
Hi,
While looking into pmacct to monitor our Internet edge, we are also
testing is we can detect malicious activity, primarily DDoS traffic.
With the current aggregators we can gather most of the required data but
the one thing really missing is IP fragmentation.
I noticed there is already