Research Update Enhanced src/generic-methodologies-and-resou...

src/generic-methodologies-and-resources/pentesting-network/ids-evasion.md

@@ -41,12 +41,22 @@ Or maybe, 2 packets with the same offset comes and the host has to decide which
 - **First** (Windows): First value that comes, value that stays.
 - **Last** (cisco): Last value that comes, value that stays.
 
+Recent research shows that **overlap handling still differs across OS/NIDS implementations**, and that **overlap-based evasion/insertion remains practical** when the IDS policy doesn't exactly match the monitored host. This applies to both IP fragmentation and TCP segmentation overlaps, so testing with target-specific overlap policies is still relevant in modern environments.
+
+## **IPv6 Atomic Fragments**
+
+IPv6 allows packets to include a **Fragment Header** even when they are not actually fragmented ("atomic fragments"). These packets are processed differently by some stacks and middleboxes. Testing IDS/IPS behavior with atomic fragments can reveal **fragment-header handling gaps** and reassembly inconsistencies.
+
 ## Tools
 
 - [https://github.com/vecna/sniffjoke](https://github.com/vecna/sniffjoke)
 
+## References
+
+- [https://arxiv.org/abs/2504.21618](https://arxiv.org/abs/2504.21618)
+- [https://datatracker.ietf.org/doc/html/rfc6946](https://datatracker.ietf.org/doc/html/rfc6946)
 
-{{#include ../../banners/hacktricks-training.md}}
 
+{{#include ../../banners/hacktricks-training.md}}