Content deleted Content added
rephrased the intro + added short description |
wording; sources; archived reference |
||
Line 9:
Part of the [[Internet protocol suite|TCP/IP suite]] is the Internet Protocol (IP) which resides at the [[Internet Layer]] of this model. IP is responsible for the transmission of packets between network end points. IP includes some features which provide basic measures of fault-tolerance (time to live, checksum), traffic prioritization (type of service) and support for the fragmentation of larger packets into multiple smaller packets (ID field, fragment offset). The support for fragmentation of larger packets provides a protocol allowing routers to fragment a packet into smaller packets when the original packet is too large for the supporting datalink frames. IP fragmentation exploits (attacks) use the fragmentation protocol within IP as an attack vector.
According to [Kurose 2013], in one type of IP fragmentation attack "the attacker sends a stream of small fragments to the target host, none of which has an offset of zero. The target can collapse as it attempts to rebuild datagrams out of the degenerate packets."<ref name=":0">{{Cite book|url=https://www.worldcat.org/oclc/769141382|title=Computer Networking: A Top-down Approach|last=Kurose|first=James F.|date=2013|publisher=Pearson|others=Ross, Keith W., 1956-|year=|isbn=9780132856201|edition=6th|___location=Boston|pages=338|oclc=769141382}}</ref> Another attack involves sending overlapping fragments with non-aligned offsets, which can render vulnerable operating systems not knowing what to do, causing some to crash.<ref name=":0" />
== Process ==
Line 224 ⟶ 226:
; IP fragmentation buffer full: The IP fragmentation buffer full exploit occurs when there is an excessive amount of incomplete fragmented traffic detected on the protected network. This could be due to an excessive number of incomplete fragmented [[network packet|packets]], a large number of fragments for individual [[network packet|packets]] or a combination of quantity of incomplete [[network packet|packets]] and size/number of fragments in each [[network packet|packet]]. This type of traffic is most likely an attempt to bypass security measures or [[Intrusion Detection Systems]] by intentional fragmentation of attack activity.
; IP fragment overrun: The IP Fragment Overrun exploit is when a reassembled fragmented [[network packet|packet]] exceeds the declared IP data length or the maximum [[network packet|packet]] length. By definition, no IP packet should be larger than 65,535 bytes. Systems that try to process these large [[network packet|packets]] can crash, and can be indicative of a denial of service attempt.
; IP fragment too many packets:
; IP fragment incomplete packet: This exploit occurs when a [[network packet|packet]] can not be fully reassembled due to missing data. This can indicate a denial of service attack or an attempt to defeat packet filter security policies.
; IP Fragment Too Small: If an IP fragment is too small it indicates that the fragment is likely intentionally crafted. Any fragment other than the final fragment that is less than 400 bytes could be considered too small. Small fragments may be used in denial of service attacks or in an attempt to bypass security measures or detection.
| |||