IP fragmentation attack

IP fragmentation is the process of breaking up a single Internet Protocol (IP) datagram into multiple packets of smaller size. Every network link has a characteristic size of messages that may be transmitted, called the maximum transmission unit (MTU).

Part of the TCP/IP suite is the Internet Protocol (IP) which resides at the Internet Layer of this model. IP is responsible for the transmission of packets between network end points. IP includes some features which provide basic measures of fault-tolerance (time to live, checksum), traffic prioritization (type of service) and support for the fragmentation of larger packets into multiple smaller packets (ID field, fragment offset). The support for fragmentation of larger packets provides a protocol allowing routers to fragment a packet into smaller packets when the original packet is too large for the supporting datalink frames. IP fragmentation exploits (attacks) use the fragmentation protocol within IP as an attack vector.

Process

IP datagrams are encapsulated in datalink frames, and, therefore, the link MTU affects larger IP datagrams and forces them to be split into pieces equal to or smaller than the MTU size.

This can be accomplished by several approaches:

Three fields in the IP header are used to implement fragmentation and reassembly. The "Identification", "Flags" and "Fragment Offset" fields.

  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |Version|  IHL  |Type of Service|          Total Length         |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |         Identification        |Flags|      Fragment Offset    |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |  Time to Live |    Protocol   |         Header Checksum       |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                       Source Address                          |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                    Destination Address                        |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                    Options                    |    Padding    |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Flags:

A 3 bit field which says if the datagram is a part of a fragmented data frame or not.
Bit 0: reserved, must be zero (unless datagram is adhering to RFC 3514)
Bit 1: (AF) 0 = May Fragment, 1 = Don't Fragment.
Bit 2: (AF) 0 = Last Fragment, 1 = More Fragments.
         0   1   2                 13 bits
       +---+---+---+    +-----------------------------+
       |   | D | M |    |     Fragment Offset         |
       | 0 | F | F |    +-----------------------------+
       +---+---+---+

Fragment Offset specifies the fragment's position within the original Datagram, measured in 8-byte units.

Accordingly, every fragment except the last must contain a multiple of 8 bytes of data. It is obvious that Fragment Offset can hold 8192 (2^13) units but the datagram can't have 8192 * 8 = 65536 bytes of data because "Total Length" field of IP header records the total size including the header and data. An IP header is at least 20 bytes long, so the maximum value for "Fragment Offset" is restricted to 8189, which leaves room for 3 bytes in the last fragment.

Because an IP internet can be connectionless, fragments from one datagram may be interleaved with those from another at the destination. The "Identification field" uniquely identifies the fragments of a particular datagram.

The source system sets "Identification" field in each datagram to a unique value for all datagrams which use the same source IP address, destination IP address, and "Protocol" values, for the lifetime of the datagram on the internet. This way the destination can distinguish which incoming fragments belong to a unique datagram and buffer all of them until the last fragment is received. The last fragment sets the "More Fragment" bit to 0 and this tells the receiving station to start reassembling the data if all fragments have been received.

The following is a real-life fragmentation example:

The following was obtained using the Ethereal protocol analyzer to capture ICMP echo request packets. To simulate this open up a terminal and type ping ip_dest -n 1 -l 65000.

The results are as follows:

     No. Time      Source                Destination           Protocol Info
     1 0.000000    87.247.163.96         66.94.234.13          ICMP     Echo (ping) request
     2 0.000000    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=1480)
     3 0.002929    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=2960)
     4 6.111328    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=4440)
     5 6.123046    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=5920)
     6 6.130859    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=7400)
     7 6.170898    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=8880)
     8 6.214843    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=10360)
     9 6.239257    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=11840)
    10 6.287109    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=13320)
    11 6.302734    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=14800)
    12 6.327148    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=16280)
    13 6.371093    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=17760)
    14 6.395507    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=19240)
    15 6.434570    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=20720)
    16 6.455078    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=22200)
    17 6.531250    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=23680)
    18 6.550781    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=25160)
    19 6.575195    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=26640)
    20 6.615234    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=28120)
    21 6.634765    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=29600)
    22 6.659179    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=31080)
    23 6.682617    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=32560)
    24 6.699218    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=34040)
    25 6.743164    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=35520)
    26 6.766601    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=37000)
    27 6.783203    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=38480)
    28 6.806640    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=39960)
    29 6.831054    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=41440)
    30 6.850586    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=42920)
    31 6.899414    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=44400)
    32 6.915039    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=45880)
    33 6.939453    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=47360)
    34 6.958984    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=48840)
    35 6.983398    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=50320)
    36 7.023437    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=51800)
    37 7.046875    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=53280)
    38 7.067382    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=54760)
    39 7.090820    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=56240)
    40 7.130859    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=57720)
    41 7.151367    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=59200)
    42 7.174804    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=60680)
    43 7.199218    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=62160)
    44 7.214843    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=63640)
    45 7.258789    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=65120)

The first packet details:

     No.Time        Source                Destination          Protocol Info
     1 0.000000    87.247.163.96         66.94.234.13          ICMP     Echo (ping) request

Frame 1 (1514 bytes on wire, 1514 bytes captured) Ethernet II, Src: OmronTat_00:00:00 (00:00:0a:00:00:00), Dst: 40:0f:20:00:0c:00 (40:0f:20:00:0c:00) Internet Protocol, Src: 87.247.163.96 (87.247.163.96), Dst: 66.94.234.13 (66.94.234.13) Internet Control Message Protocol

   Type: 8 (Echo (ping) request)
   Code: 0
   Checksum: 0x6b7d
   Identifier: 0x0600
   Sequence number: 0x0200
   Data (1472 bytes)

The second packet details:

    No. Time        Source                Destination          Protocol Info
     2 0.000000    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=1480)

Frame 2 (1514 bytes on wire, 1514 bytes captured) Ethernet II, Src: OmronTat_00:00:00 (00:00:0a:00:00:00), Dst: 40:0f:20:00:0c:00 (40:0f:20:00:0c:00) Internet Protocol, Src: 87.247.163.96 (87.247.163.96), Dst: 66.94.234.13 (66.94.234.13) Data (1480 bytes)

Note that only the first fragment contains the ICMP header and all remaining fragments are generated without the ICMP header.

Two important points here:

Exploits

IP fragment overlapped
The IP fragment overlapped exploit occurs when two fragments contained within the same IP datagram have offsets that indicate that they overlap each other in positioning within the datagram. This could mean that either fragment A is being completely overwritten by fragment B, or that fragment A is partially being overwritten by fragment B. Some operating systems do not properly handle fragments that overlap in this manner and may throw exceptions or behave in other undesirable ways upon receipt of overlapping fragments. This is the basis for the teardrop attack. Overlapping fragments may also be used in an attempt to bypass Intrusion Detection Systems. In this exploit, part of an attack is sent in fragments along with additional random data; future fragments may overwrite the random data with the remainder of the attack. If the completed datagram is not properly reassembled at the IDS, the attack will go undetected.
IP fragmentation buffer full
The IP fragmentation buffer full exploit occurs when there is an excessive amount of incomplete fragmented traffic detected on the protected network. This could be due to an excessive number of incomplete fragmented datagrams, a large number of fragments for individual datagrams or a combination of quantity of incomplete datagrams and size/number of fragments in each datagram. This type of traffic is most likely an attempt to bypass security measures or Intrusion Detection Systems by intentional fragmentation of attack activity.
IP fragment overrun
The IP Fragment Overrun exploit is when a reassembled fragmented datagram exceeds the declared IP data length or the maximum datagram length. By definition, no IP datagram should be larger than 65,535 bytes. Systems that try to process these large datagrams can crash, and can be indicative of a denial of service attempt.
IP fragment too many datagrams
The Too Many Datagrams exploit is identified by an excessive number of incomplete fragmented datagrams detected on the network. This is usually either a denial of service attack or an attempt to bypass security measures. An example of "Too Many Datagrams", "Incomplete Datagram" and "Fragment Too Small" is the Rose Attack.[1]
IP fragment incomplete datagram
This exploit occurs when a datagram can not be fully reassembled due to missing data. This can indicate a denial of service attack or an attempt to defeat packet filter security policies.
IP Fragment Too Small
If an IP fragment is too small it indicates that the fragment is likely intentionally crafted. Any fragment other than the final fragment that is less than 400 bytes could be considered too small. Small fragments may be used in denial of service attacks or in an attempt to bypass security measures or detection.

Fragmentation for evasion

Network infrastructure equipment such as routers, load-balancers, firewalls and IPS have inconsistent visibility into fragmented packets. For example, a device may subject the initial fragment to rigorous inspection and auditing, but might allow all additional fragments to pass unchecked. Some attacks may use this fact to evade detection by placing incriminating payload data in fragments. Devices operating in "full" proxy mode are generally not susceptible to this subterfuge.

References

External links

This article is issued from Wikipedia - version of the Wednesday, January 13, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.