Wikipedia

IP fragmentation attack: Difference between revisions

Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
wording; sources; archived reference
T79733186 (talk | contribs)
14 edits
Link suggestions feature: 2 links added.
 
(11 intermediate revisions by 10 users not shown)
Line 6:
}}
 
'''IP fragmentation attacks''' are a kind of [[cyberattack|computer security attack]] based on how the [[Internet Protocol]] (IP) requires data to be transmitted and processed. Specifically, it invokes [[IP fragmentation]], a process used to partition messages (the [[service data unit]] (SDU); typically a [[network packet|packet]]) from one layer of a network into multiple smaller [[payload (computing)|payload]]s that can fit within the lower layer's [[protocol data unit]] (PDU). Every network link has a maximum size of [[data frame|messages]] that may be transmitted, called the [[maximum transmission unit]] (MTU). If the SDU plus metadata added at the [[link layer]] exceeds the MTU, the SDU must be fragmented. IP fragmentation attacks exploit this process as an [[attack vector]].
 
Part of the [[Internet protocol suite|TCP/IP suite]] is the Internet Protocol (IP) which resides at the [[Internet Layer]] of this model. IP is responsible for the transmission of packets between network end points. IP includes some features which provide basic measures of fault-tolerance (time to live, checksum), traffic prioritization (type of service) and support for the fragmentation of larger packets into multiple smaller packets (ID field, fragment offset). The support for fragmentation of larger packets provides a protocol allowing routers to fragment a packet into smaller packets when the original packet is too large for the supporting datalink frames. IP fragmentation exploits (attacks) use the fragmentation protocol within IP as an attack vector.
 
According to [Kurose 2013], in one type of IP fragmentation attack "the attacker sends a stream of small fragments to the target host, none of which has an offset of zero. The target can collapse as it attempts to rebuild datagrams out of the degenerate packets."<ref name=":0">{{Cite book|url=https://www.worldcat.org/oclc/769141382|title=Computer Networking: A Top-down Approach|last=Kurose|first=James F.|date=2013|publisher=Pearson|others=Ross, Keith W., 1956-|year=|isbn=9780132856201|edition=6th|___location=Boston|pages=338|oclc=769141382}}</ref> Another attack involves sending overlapping fragments with non-aligned offsets, which can render vulnerable operating systems not knowing what to do, causing some to crash.<ref name=":0" />
 
== Process ==
Line 68:
! 0
! 0
| colspan="4"|[[IPv4#Version|Version]]
| colspan="4"|[[IPv4#IHL|IHL]]
| colspan="6"|[[IPv4#DSCP|DSCP]]
| colspan="2"|[[IPv4#ECN|ECN]]
| colspan="16"|[[IPv4#Total Length|Total Length]]
|-
! 4
! 32
| colspan="16"|[[IPv4#Identification|Identification]]
| colspan="3"|[[IPv4#Flags|Flags]]
| colspan="13"|[[IPv4#Fragment Offsetoffset|Fragment Offset]]
|-
! 8
! 64
| colspan="8"|[[IPv4#TTL|Time To Live]]
| colspan="8"|[[IPv4#Protocol|Protocol]]
| colspan="16"|[[IPv4#Header Checksumchecksum|Header Checksum]]
|-
! 12
! 96
| colspan="32"|[[IPv4#Source address|Source IP Address]]
|-
! 16
! 128
| colspan="32"|[[IPv4#Destination address|Destination IP Address]]
|-
! 20
! 160
| colspan="32" rowspan="4" |[[IPv4#Options|Options]] (if IHL > 5)
|-
! 24
Line 110:
Flags:
 
: A 3 [[bit field]] which says if the packet is a part of a fragmented [[data frame]] or not.
 
: Bit 0: reserved, must be zero (unless packet is adhering to RFC 3514)
Line 127:
Fragment Offset specifies the fragment's position within the original packet, measured in 8-byte units.
 
Accordingly, every fragment except the last must contain a multiple of 8 bytes of data. It is obvious that Fragment Offset can hold 8192 (2^13) units but the [[network packet|packet]] can't have 8192 * 8 = 65,536 bytes of data because "Total Length" field of [[internet protocolProtocol|IP]] header records the total size including the header and data. An IP header is at least 20 bytes long, so the maximum value for "Fragment Offset" is restricted to 8189, which leaves room for 3 bytes in the last fragment.
 
Because an IP internet can be connectionless, fragments from one [[network packet|packet]] may be interleaved with those from another at the destination. The "Identification field" uniquely identifies the fragments of a particular [[network packet|packet]].
Line 135:
The following is a real-life fragmentation example:
 
The following was obtained using the [[Wireshark|Ethereal]] protocol analyzer to capture [[Internet Control Message Protocol|ICMP]] [[Ping (networking utility)|echo request]] packets. To simulate this open up a terminal and type ping ip_dest -n 1 -l 65000.
<!-- The terminal command doesn't work for BASH on Darwin. -->
 
Line 141:
<!-- This example is way too long and messy -->
 
<syntaxhighlight lang="text">
<code>
No. Time Source Destination Protocol Info
1 0.000000 87.247.163.96 66.94.234.13 ICMP Echo (ping) request
Line 212:
Internet Protocol, Src: 87.247.163.96 (87.247.163.96), Dst: 66.94.234.13 (66.94.234.13)
Data (1480 bytes)
</syntaxhighlight>
 
</code>
 
Note that only the first fragment contains the ICMP header and all remaining fragments are generated without the ICMP header.
Line 226 ⟶ 225:
; IP fragmentation buffer full: The IP fragmentation buffer full exploit occurs when there is an excessive amount of incomplete fragmented traffic detected on the protected network. This could be due to an excessive number of incomplete fragmented [[network packet|packets]], a large number of fragments for individual [[network packet|packets]] or a combination of quantity of incomplete [[network packet|packets]] and size/number of fragments in each [[network packet|packet]]. This type of traffic is most likely an attempt to bypass security measures or [[Intrusion Detection Systems]] by intentional fragmentation of attack activity.
; IP fragment overrun: The IP Fragment Overrun exploit is when a reassembled fragmented [[network packet|packet]] exceeds the declared IP data length or the maximum [[network packet|packet]] length. By definition, no IP packet should be larger than 65,535 bytes. Systems that try to process these large [[network packet|packets]] can crash, and can be indicative of a denial of service attempt.
; IP fragment too many packets:The "Too Many Packets" exploit is identified by an excessive number of incomplete fragmented [[network packet|packet]] detected on the network. This is usually either a denial of service attack or an attempt to bypass security measures. An example of "Too Many Packets", "Incomplete Packet" and "Fragment Too Small" is the Rose Attack.<ref>{{Cite web|url=http://www.digital.net/~gandalf/Rose_Frag_Attack_Explained.htm|title=The Rose Fragmentation Attack Explained|last=Hollis|first=Ken|date=|website=|archive-url=https://web.archive.org/web/20120224113108/http://www.digital.net/~gandalf/Rose_Frag_Attack_Explained.htm|archive-date=2012-02-24|dead-url-status=|access-date=2013-11-25}}</ref>
; IP fragment incomplete packet: This exploit occurs when a [[network packet|packet]] can not be fully reassembled due to missing data. This can indicate a denial of service attack or an attempt to defeat packet filter security policies.
; IP Fragment Too Small: If an IP fragment is too small it indicates that the fragment is likely intentionally crafted. Any fragment other than the final fragment that is less than 400 bytes could be considered too small. Small fragments may be used in denial of service attacks or in an attempt to bypass security measures or detection.
Line 241 ⟶ 240:
 
* [http://kohala.com/start/ W. Richard Stevens' Home Page]
* RFC{{IETF RFC|1858|link=no}}
* RFC{{IETF RFC|791|link=no}}
 
[[Category:Internet security]]
Retrieved from "https://en.wikipedia.org/wiki/IP_fragmentation_attack"