Revision as of 12:58, 4 April 2014 edit Thumperward (talk \| contribs) Administrators 123,444 edits Added {{ref improve}} tag to article (TW) ← Previous edit		Revision as of 13:46, 4 April 2014 edit undo Thumperward (talk \| contribs) Administrators 123,444 edits begin tidying Next edit →
Line 1: {{technical\|date=April 2014}} {{ref improve\|date=April 2014}} '''[[IP fragmentation]]''' is the process of breaking up a single [[Internet Protocol]] (IP) [[datagram]] into multiple packets of smaller size. Every network link has a characteristic size of [[Data frame\|messages]] that may be transmitted, called the [[maximum transmission unit]] (MTU). Part of the TCP/IP suite is the Internet Protocol (IP) which resides at the [[Internet Layer]] of this model. IP is responsible for the transmission of packets between network end points. IP includes some features which provide basic measures of fault-tolerance (time to live, checksum), traffic prioritization (type of service) and support for the fragmentation of larger packets into multiple smaller packets (ID field, fragment offset). The support for fragmentation of larger packets provides a protocol allowing routers to fragment a packet into smaller packets when the original packet is too large for the supporting datalink frames. IP fragmentation exploits (attacks) use the fragmentation protocol within IP as an attack vector. == ~~Fragmentation process~~Process == IP datagrams are encapsulated in datalink frames, and, therefore, the link MTU affects larger IP [[datagram]]s and forces them to be split into pieces equal to or smaller than the MTU size. Line 142 ⟶ 145: * Additional overhead imposed over network because all fragments contains their own IP header. Additional overhead = (number_of_fragments - 1) * (ip_header_len); ==IP ~~fragmentation~~Exploits ~~exploits~~== ; IP fragment overlapped: The IP fragment overlapped [[exploit (computer security)\|exploit]] occurs when two fragments contained within the same IP datagram have offsets that indicate that they overlap each other in positioning within the datagram. This could mean that either fragment A is being completely overwritten by fragment B, or that fragment A is partially being overwritten by fragment B. Some operating systems do not properly handle fragments that overlap in this manner and may throw exceptions or behave in other undesirable ways upon receipt of overlapping fragments. This is the basis for the [[~~Teardrop~~teardrop attack~~\|teardrop~~]]. ~~[[Denial~~Overlapping fragments may also be used in an attempt to bypass Intrusion Detection Systems. In this exploit, part of ~~service]]~~an attack is sent in fragments along with additional random data; future fragments may overwrite the random data with the remainder of the attack. If the completed datagram is not properly reassembled at the IDS, the attack will go ~~attacks~~undetected.▼ ~~===IP fragment overlapped===~~ ; IP fragmentation buffer full: The IP fragmentation buffer full exploit occurs when there is an excessive amount of incomplete fragmented traffic detected on the protected network. This could be due to an excessive number of incomplete fragmented datagrams, a large number of fragments for individual datagrams or a combination of quantity of incomplete datagrams and size/number of fragments in each datagram. This type of traffic is most likely an attempt to bypass security measures or [[Intrusion Detection Systems]] by intentional fragmentation of attack activity.▼ ▲The IP fragment overlapped [[exploit (computer security)\|exploit]] occurs when two fragments contained within the same IP datagram have offsets that indicate that they overlap each other in positioning within the datagram. This could mean that either fragment A is being completely overwritten by fragment B, or that fragment A is partially being overwritten by fragment B. Some operating systems do not properly handle fragments that overlap in this manner and may throw exceptions or behave in other undesirable ways upon receipt of overlapping fragments. This is the basis for the [[Teardrop attack\|teardrop]] [[Denial of service]] attacks. ; IP fragment overrun: The IP Fragment Overrun exploit is when a reassembled fragmented datagram exceeds the declared IP data length or the maximum datagram length. By definition, no IP datagram should be larger than 65,535 bytes. Systems that try to process these large datagrams can crash, and can be indicative of a denial of service attempt.▼ ; IP fragment too many datagrams: The Too Many Datagrams exploit is identified by an excessive number of incomplete fragmented datagrams detected on the network. This is usually either a denial of service attack or an attempt to bypass security measures. An example of "Too Many Datagrams", "Incomplete Datagram" and "Fragment Too Small" is the Rose Attack.<ref>[http://www.digital.net/~gandalf/Rose_Frag_Attack_Explained.htm Ken Hollis, "The Rose Attack Explained", Retrieved on 2013-11-25]</ref>▼ ; IP fragment incomplete datagram: This exploit occurs when a datagram can not be fully reassembled due to missing data. This can indicate a denial of service attack or an attempt to defeat packet filter security policies.▼ ; IP Fragment Too Small: If an IP fragment is too small it indicates that the fragment is likely intentionally crafted. Any fragment other than the final fragment that is less than 400 bytes could be considered too small. Small fragments may be used in denial of service attacks or in an attempt to bypass security measures or detection.▼ == Fragmentation for evasion ==▼ Overlapping fragments may also be used in an attempt to bypass Intrusion Detection Systems. In this exploit, part of an attack is sent in fragments along with additional random data; future fragments may overwrite the random data with the remainder of the attack. If the completed datagram is not properly reassembled at the IDS, the attack will go undetected. Network infrastructure equipment such as [[Router (computing)\|routers]], [[Load balancing (computing)\|load-balancers]], [[Firewall (computing)\|firewalls]] and [[Intrusion prevention system\|IPS]] have inconsistent visibility into fragmented packets. For example, a device may subject the initial fragment to rigorous inspection and auditing, but might allow all additional fragments to pass unchecked. Some attacks may use this fact to evade detection by placing incriminating payload data in fragments. Devices operating in [[Proxy server\|"full" proxy mode]] are generally not susceptible to this subterfuge.▼ ~~=== IP fragmentation buffer full ===~~ ▲The IP fragmentation buffer full exploit occurs when there is an excessive amount of incomplete fragmented traffic detected on the protected network. This could be due to an excessive number of incomplete fragmented datagrams, a large number of fragments for individual datagrams or a combination of quantity of incomplete datagrams and size/number of fragments in each datagram. This type of traffic is most likely an attempt to bypass security measures or [[Intrusion Detection Systems]] by intentional fragmentation of attack activity. == References ==▼ ~~=== IP fragment overrun ===~~ ▲The IP Fragment Overrun exploit is when a reassembled fragmented datagram exceeds the declared IP data length or the maximum datagram length. By definition, no IP datagram should be larger than 65,535 bytes. Systems that try to process these large datagrams can crash, and can be indicative of a denial of service attempt. ~~=== IP fragment too many datagrams ===~~ ▲The Too Many Datagrams exploit is identified by an excessive number of incomplete fragmented datagrams detected on the network. This is usually either a denial of service attack or an attempt to bypass security measures. An example of "Too Many Datagrams", "Incomplete Datagram" and "Fragment Too Small" is the Rose Attack.<ref>[http://www.digital.net/~gandalf/Rose_Frag_Attack_Explained.htm Ken Hollis, "The Rose Attack Explained", Retrieved on 2013-11-25]</ref> ~~=== IP fragment incomplete datagram===~~ ▲This exploit occurs when a datagram can not be fully reassembled due to missing data. This can indicate a denial of service attack or an attempt to defeat packet filter security policies. ~~=== IP Fragment Too Small ===~~ ▲If an IP fragment is too small it indicates that the fragment is likely intentionally crafted. Any fragment other than the final fragment that is less than 400 bytes could be considered too small. Small fragments may be used in denial of service attacks or in an attempt to bypass security measures or detection. ▲== Fragmentation for evasion == ▲Network infrastructure equipment such as [[Router (computing)\|routers]], [[Load balancing (computing)\|load-balancers]], [[Firewall (computing)\|firewalls]] and [[Intrusion prevention system\|IPS]] have inconsistent visibility into fragmented packets. For example, a device may subject the initial fragment to rigorous inspection and auditing, but might allow all additional fragments to pass unchecked. Some attacks may use this fact to evade detection by placing incriminating payload data in fragments. Devices operating in [[Proxy server\|"full" proxy mode]] are generally not susceptible to this subterfuge. {{refs}} ▲==References== ~~{{reflist}}~~ == External links ==▼ {{Waybackdate\|site=http://www.kohala.com/start/\|date=20020802080303\|title=W. Richard Stevens' Home Page}}▼ [http://www.ietf.org/rfc/rfc1858.txt RFC 1858]▼ [http://www.ietf.org/rfc/rfc791.txt RFC 791]▼ ▲ {{Waybackdate\|site=http://www.kohala.com/start/\|date=20020802080303\|title=W. Richard Stevens' Home Page}} ▲==External links== ▲* [http://www.ietf.org/rfc/rfc1858.txt RFC 1858] ▲* [http://www.ietf.org/rfc/rfc791.txt RFC 791] [[Category:Internet security]]

IP fragmentation attack: Difference between revisions