43
•
Packet decoding. Packets structure
needs to be defined
for
further analysis. To do
this,
decoding
procedures are
run
to
characterize the
type
of
the
packet,
packet
header, source and destination of the IP address used for the packet transmission,
TCP/IP
header, and so
forth.
To correctly determine
the peculiarity of packets
in
anomaly
detection that
is
normally used
to observe
abnormal behavior, Request
for
Comments (RFC)
is
properly
applied
as
assessment
to
correct
definite
implementation of
network
applications
in
certain
protocols.
Thus
IPS
operates
decoders to
verify
whether
the
incoming
packets
are
consistent
with
applicable
RFCs.
•
Storage.
Packets
are
usually
stored
after
being
processes
and
decoded.
Data
can
be
store
either
by
saving the
data
to
file
in
hard
disk
or
in
the
form
of
data
structure.
•
Fragment reassembly. It
is
noticed that packet decoding
is
not always solving the
packet
analysis
appropriately. Packet
fragmentation and
fragment
reassembly
process become also other problems that
need to be solved. It is also a disclosure
in
network
security
that
attackers can
use
packets
that
are
fragmented to
avoid
detection.
Fragmented packet
can
overlap
another
so
that
while
being
reassembled,
the sequence
of reassembly
is
not appropriate
and
fragmented
packet
is
overwritten
instead
of
reassembled
naturally
in
order.
Fragmented
packet can also be oversized, so that CPU of computer cannot properly
handle or
process
the packet and
resulting in
system crash caused by DoS attack.
Another
kind of the cause of this
fragmentation is that system crashed because of teardrop
attack
by
mixing
several
fragments,
resulting
offsets
create
large
program
in
 |