Content deleted Content added
m Bot: Removing Orphan Tag (Nolonger an Orphan) (Report Errors) |
No edit summary |
||
Line 163:
=== IP fragment too small ===
An IP Fragment Too Small exploit is when any fragment other than the final fragment is less than 400 bytes, indicating that the fragment is likely intentionally crafted. Small fragments may be used in denial of service attacks or in an attempt to bypass security measures or detection.
== Fragmentation for evasion ==
Network infrastructure equipment such as [[Router (computing)|routers]], [[Load balancing (computing)|load-balancers]], [[Firewall (computing)|firewalls]] and [[Intrusion prevention system|IPS]] have inconsistent visibility into fragmented packets. For example, a device may subject the initial fragment to rigorous inspection and auditing, but might allow all additional fragments to pass unchecked. Some attacks may use this fact to evade detection by placing incriminating payload data in fragments. Devices operating in [[Proxy server|"full" proxy mode]] are generally not susceptible to this subterfuge.
== Impact of fragmentation on network forwarding ==
When Internet routers forward IP packets across multiple parallel paths, technologies like [[Link aggregation|LAG]] and [[Cisco Express Forwarding|CEF]] divide the traffic up using a [[Hash function|hash algorithm]]. One goal of the algorithm is to send all packets from the same [[Traffic flow (computer networking)|flow]] out the same path, minimizing the risk of [[Out-of-order delivery|packet reordering]. a [[OSI model|layer-2/3]] hash algorithm will cause all packet fragments to be forwarded equally, but a layer-4 hash algorithm can forward the initial fragment on a different path than subsequent fragments which can lead to out-of-order arrival. Many hosts and security devices will drop packets when non-initial fragments arrive before the initial fragment.
==References==
| |||