The transport layer protocol utilized in packet network communications allows a TCP transmission to be separated into variable sized segments which are sent to the destination, as part of the same TCP session. Each segment still belongs to the original TCP transmission, and can be reassembled by the destination to re-create the original TCP transmission.
Different kinds of operating systems have unique methods of TCP segment reassembly. These methods of reassembling TCP segments can be exploited by attackers. In their landmark 1998 paper, “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection,” Thomas Ptacek and Timothy Newsham exposed some weaknesses in intrusion detection systems (IDS). The authors revealed that an IDS cannot be effective and accurate because it does not necessarily process or even observe network traffic exactly as the destination host that receives the message does.
If an IDS utilizes a single reassembly method, it may not analyze the same reassembled payload as an operating system at the destination. Consequently, an attack that successfully exploits these differences in TCP segment reassembly can cause the IDS to miss the malicious traffic.