Wikipedia

IP fragmentation attack: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Hayazin (talk | contribs)
308 edits
Process: Cleaned and tidied up the bit diagrams and
The terms packet and datagram are not interchangeable. Packet refers strictly to the data units in layer 3 (network) of the OSI model (implemented by IP), whereas datagram strictly refers to the data unit for layer 4 (transport) of the OSI model when an unreliable protocol (UDP) is used.
Line 4:
}}
 
'''IP fragmentation''' is the process of breaking up a single [[Internet Protocol]] (IP) [[datagramnetwork packet|packet]] into multiple packets of smaller size. Every network link has a characteristic size of [[Data frame|messages]] that may be transmitted, called the [[maximum transmission unit]] (MTU).
 
Part of the TCP/IP suite is the Internet Protocol (IP) which resides at the [[Internet Layer]] of this model. IP is responsible for the transmission of packets between network end points. IP includes some features which provide basic measures of fault-tolerance (time to live, checksum), traffic prioritization (type of service) and support for the fragmentation of larger packets into multiple smaller packets (ID field, fragment offset). The support for fragmentation of larger packets provides a protocol allowing routers to fragment a packet into smaller packets when the original packet is too large for the supporting datalink frames. IP fragmentation exploits (attacks) use the fragmentation protocol within IP as an attack vector.
Line 10:
== Process ==
 
IP datagramspackets are encapsulated in datalink frames, and, therefore, the link MTU affects larger IP [[datagramnetwork packet|packets]]s and forces them to be split into pieces equal to or smaller than the MTU size.
 
This can be accomplished by several approaches:
* To set the IP datagram[[network packet|packet]] size equal or smaller than the directly attached medium and delegate all further fragmentation of datagramspackets to routers, meaning that routers decide if the current datagrampacket should be re-fragmented or not. This offloads a lot of work on to routers, and can also result in packets being segmented by several IP routers one after another, resulting in very peculiar fragmentation.
* To preview all links between source and destination and select the smallest MTU in this route, assuming there is a unique route. This way we make sure that the fragmentation is done by the sender, using a packet-size smaller than the selected MTU, and there is no further fragmentation en route. This solution, called [[Path MTU Discovery]], allows a sender to fragment/segment a long [[Internet]] [[packet (information technology)|packet]], rather than relying on routers to perform IP-level fragmentation. This is more efficient and more scalable. It is therefore the recommended method in the current Internet. The problem with this approach is that each packet is routed independently; they may well typically follow the same route, but they may not, and so a probe packet to determine fragmentation may follow a path different from paths taken by later packets.
 
Line 106:
Flags:
 
: A 3 bit field which says if the datagrampacket is a part of a fragmented [[data frame]] or not.
 
: Bit 0: reserved, must be zero (unless datagrampacket is adhering to RFC 3514)
: Bit 1: (AF) 0 = May Fragment, 1 = Don't Fragment.
: Bit 2: (AF) 0 = Last Fragment, 1 = More Fragments.
Line 121:
|}
 
Fragment Offset specifies the fragment's position within the original Datagrampacket, measured in 8-byte units.
 
Accordingly, every fragment except the last must contain a multiple of 8 bytes of data. It is obvious that Fragment Offset can hold 8192 (2^13) units but the [[datagramnetwork packet|packet]] can't have 8192 * 8 = 65536 bytes of data because "Total Length" field of [[internet protocol|IP]] header records the total size including the header and data. An IP header is at least 20 bytes long, so the maximum value for "Fragment Offset" is restricted to 8189, which leaves room for 3 bytes in the last fragment.
 
Because an IP internet can be connectionless, fragments from one datagram[[network packet|packet]] may be interleaved with those from another at the destination. The "Identification field" uniquely identifies the fragments of a particular [[datagramnetwork packet|packet]].
 
The source system sets "Identification" field in each datagram[[network packet|packet]] to a unique value for all datagrams[[network packet|packets]] which use the same source IP address, destination IP address, and "Protocol" values, for the lifetime of the datagram[[network packet|packet]] on the internet. This way the destination can distinguish which incoming fragments belong to a unique datagram[[network packet|packet]] and buffer all of them until the last fragment is received. The last fragment sets the "More Fragment" bit to 0 and this tells the receiving station to start reassembling the data if all fragments have been received.
 
The following is a real-life fragmentation example:
 
The following was obtained using the [[Wireshark|Ethereal]] protocol analyzer to capture [[Internet Control Message Protocol|ICMP]] [[Ping (networking utility)|echo request]] packets. To simulate this open up a terminal and type ping ip_dest -n 1 -l 65000.
<!-- The terminal command doesn't work for BASH on Darwin. -->
 
The results are as follows:
Line 213 ⟶ 214:
 
Two important points here:
* In some datalink protocols such as Ethernet, only the first fragment contains the full upper layer header, meaning that other fragments look like beheaded datagrams[[network packet|packets]].
* Additional overhead imposed over network because all fragments contains their own IP header. Additional overhead = (number_of_fragments - 1) * (ip_header_len);
 
== Exploits ==
 
; IP fragment overlapped: The IP fragment overlapped [[exploit (computer security)|exploit]] occurs when two fragments contained within the same IP datagram[[network packet|packet]] have offsets that indicate that they overlap each other in positioning within the datagram[[network packet|packet]]. This could mean that either fragment A is being completely overwritten by fragment B, or that fragment A is partially being overwritten by fragment B. Some operating systems do not properly handle fragments that overlap in this manner and may throw exceptions or behave in other undesirable ways upon receipt of overlapping fragments. This is the basis for the [[teardrop attack]]. Overlapping fragments may also be used in an attempt to bypass Intrusion Detection Systems. In this exploit, part of an attack is sent in fragments along with additional random data; future fragments may overwrite the random data with the remainder of the attack. If the completed datagram[[network packet|packet]] is not properly reassembled at the IDS, the attack will go undetected.
; IP fragmentation buffer full: The IP fragmentation buffer full exploit occurs when there is an excessive amount of incomplete fragmented traffic detected on the protected network. This could be due to an excessive number of incomplete fragmented datagrams[[network packet|packets]], a large number of fragments for individual datagrams[[network packet|packets]] or a combination of quantity of incomplete datagrams[[network packet|packets]] and size/number of fragments in each datagram[[network packet|packet]]. This type of traffic is most likely an attempt to bypass security measures or [[Intrusion Detection Systems]] by intentional fragmentation of attack activity.
; IP fragment overrun: The IP Fragment Overrun exploit is when a reassembled fragmented datagram[[network packet|packet]] exceeds the declared IP data length or the maximum datagram[[network packet|packet]] length. By definition, no IP datagrampacket should be larger than 65,535 bytes. Systems that try to process these large datagrams[[network packet|packets]] can crash, and can be indicative of a denial of service attempt.
; IP fragment too many datagramspackets: The "Too Many DatagramsPackets" exploit is identified by an excessive number of incomplete fragmented datagrams[[network packet|packet]] detected on the network. This is usually either a denial of service attack or an attempt to bypass security measures. An example of "Too Many DatagramsPackets", "Incomplete DatagramPacket" and "Fragment Too Small" is the Rose Attack.<ref>[http://www.digital.net/~gandalf/Rose_Frag_Attack_Explained.htm Ken Hollis, "The Rose Attack Explained", Retrieved on 2013-11-25]</ref>
; IP fragment incomplete datagrampacket: This exploit occurs when a datagram[[network packet|packet]] can not be fully reassembled due to missing data. This can indicate a denial of service attack or an attempt to defeat packet filter security policies.
; IP Fragment Too Small: If an IP fragment is too small it indicates that the fragment is likely intentionally crafted. Any fragment other than the final fragment that is less than 400 bytes could be considered too small. Small fragments may be used in denial of service attacks or in an attempt to bypass security measures or detection.
 
Retrieved from "https://en.wikipedia.org/wiki/IP_fragmentation_attack"