Content deleted Content added
DefaultFree (talk | contribs) Packet structure was copied out of IPv4, update links to point there, as the anchors don't exist on this page |
No edit summary Tag: Reverted |
||
Line 1:
! colspan="8" | 0
29 6.831054 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=41440)
{{multiple issues|
The following was obtained using the [[Wireshark|Ethereal]] protocol analyzer to capture [[Internet Control Message Protocol|ICMP]] [[Ping (networking utility)|echo request]] packets. To simulate this open up a terminal and type ping ip_dest -n 1 -l 65000.
| colspan="8"|[[IPv4#TTL|Time To Live]]
|-
; IP fragment overlapped: The IP fragment overlapped [[exploit (computer security)|exploit]] occurs when two fragments contained within the same IP [[network packet|packet]] have offsets that indicate that they overlap each other in positioning within the [[network packet|packet]]. This could mean that either fragment A is being completely overwritten by fragment B, or that fragment A is partially being overwritten by fragment B. Some operating systems do not properly handle fragments that overlap in this manner and may throw exceptions or behave in other undesirable ways upon receipt of overlapping fragments. This is the basis for the [[teardrop attack]]. Overlapping fragments may also be used in an attempt to bypass Intrusion Detection Systems. In this exploit, part of an attack is sent in fragments along with additional random data; future fragments may overwrite the random data with the remainder of the attack. If the completed [[network packet|packet]] is not properly reassembled at the IDS, the attack will go undetected.
! [[Octet (computing)|Octet]]
|-
! 256
Part of the [[Internet protocol suite|TCP/IP suite]] is the Internet Protocol (IP) which resides at the [[Internet Layer]] of this model. IP is responsible for the transmission of packets between network end points. IP includes some features which provide basic measures of fault-tolerance (time to live, checksum), traffic prioritization (type of service) and support for the fragmentation of larger packets into multiple smaller packets (ID field, fragment offset). The support for fragmentation of larger packets provides a protocol allowing routers to fragment a packet into smaller packets when the original packet is too large for the supporting datalink frames. IP fragmentation exploits (attacks) use the fragmentation protocol within IP as an attack vector.
31 6.899414 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=44400)
4 6.111328 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=4440)
|-
26 6.766601 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=37000)
The following is a real-life fragmentation example:
1 0.000000 87.247.163.96 66.94.234.13 ICMP Echo (ping) request
! 0 !! 1 !! 2 !! 3 !! 4 !! 5 !! 6 !! 7 !! 8 !! 9 !! 10 !! 11 !! 12 !! 13 !! 14 !! 15
[[File:IPv4 Fragmentation Algorithm-en.png|thumb|300px|The fragmentation algorithm in IPv4.]]
21 6.634765 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=29600)
| colspan="6"|[[IPv4#DSCP|DSCP]]
Three fields in the [[IPv4#Header|IP header]] are used to implement fragmentation and reassembly. The "Identification", "Flags" and "Fragment Offset" fields.
! 128
* In some datalink protocols such as Ethernet, only the first fragment contains the full upper layer header, meaning that other fragments look like beheaded [[network packet|packets]].
{| class="wikitable" style="text-align: center;"
|-
!
17 6.531250 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=23680)
2 0.000000 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=1480)
; IP fragment too many packets:The "Too Many Packets" exploit is identified by an excessive number of incomplete fragmented [[network packet|packet]] detected on the network. This is usually either a denial of service attack or an attempt to bypass security measures. An example of "Too Many Packets", "Incomplete Packet" and "Fragment Too Small" is the Rose Attack.<ref>{{Cite web|url=http://www.digital.net/~gandalf/Rose_Frag_Attack_Explained.htm|title=The Rose Fragmentation Attack Explained|last=Hollis|first=Ken|archive-url=https://web.archive.org/web/20120224113108/http://www.digital.net/~gandalf/Rose_Frag_Attack_Explained.htm|archive-date=2012-02-24|url-status=|access-date=2013-11-25}}</ref>
1 0.000000 87.247.163.96 66.94.234.13 ICMP Echo (ping) request
: Bit 0: reserved, must be zero (unless packet is adhering to RFC 3514)
No.Time Source Destination Protocol Info
! style="width:2.6%;"| 3
32 6.915039 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=45880)
* Additional overhead imposed over network because all fragments contains their own IP header. Additional overhead = (number_of_fragments - 1) * (ip_header_len);
Ethernet II, Src: OmronTat_00:00:00 (00:00:0a:00:00:00), Dst: 40:0f:20:00:0c:00 (40:0f:20:00:0c:00)
* [http://kohala.com/start/ W. Richard Stevens' Home Page]
Frame 2 (1514 bytes on wire, 1514 bytes captured)
The results are as follows:
; IP fragment overrun: The IP Fragment Overrun exploit is when a reassembled fragmented [[network packet|packet]] exceeds the declared IP data length or the maximum [[network packet|packet]] length. By definition, no IP packet should be larger than 65,535 bytes. Systems that try to process these large [[network packet|packets]] can crash, and can be indicative of a denial of service attempt.
Identifier: 0x0600
40 7.130859 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=57720)
! 160
14 6.395507 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=19240)
! colspan="8" | 1
Note that only the first fragment contains the ICMP header and all remaining fragments are generated without the ICMP header.
10 6.287109 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=13320)
! style="width:2.6%;"| 10
The first packet details:
IP packets are encapsulated in datalink frames, and, therefore, the link MTU affects larger IP [[network packet|packets]] and forces them to be split into pieces equal to or smaller than the MTU size.
24 6.699218 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=34040)
|+ IPv4 Header Format
! style="width:2.6%;"| 7
== Process ==
42 7.174804 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=60680)
! style="width:2.6%;"| 8
{{short description|Cyberattack method based on Internet Protocol fragmentation}}
| colspan="2"|[[IPv4#ECN|ECN]]
|-
! style="width:2.6%;"| 24
Accordingly, every fragment except the last must contain a multiple of 8 bytes of data. It is obvious that Fragment Offset can hold 8192 (2^13) units but the [[network packet|packet]] can't have 8192 * 8 = 65,536 bytes of data because "Total Length" field of [[internet protocol|IP]] header records the total size including the header and data. An IP header is at least 20 bytes long, so the maximum value for "Fragment Offset" is restricted to 8189, which leaves room for 3 bytes in the last fragment.
Because an IP internet can be connectionless, fragments from one [[network packet|packet]] may be interleaved with those from another at the destination. The "Identification field" uniquely identifies the fragments of a particular [[network packet|packet]].
6 6.130859 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=7400)
|-
Internet Protocol, Src: 87.247.163.96 (87.247.163.96), Dst: 66.94.234.13 (66.94.234.13)
! | [[Octet (computing)|Octet]]
! colspan="8" | 2
No. Time Source Destination Protocol Info
<code>
! 192
| colspan="16"|[[IPv4#Identification|Identification]]
43 7.199218 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=62160)
! style="width:2.6%;"| 2
|}
== External links ==
|-
! 224
27 6.783203 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=38480)
Type: 8 (Echo (ping) request)
* To preview all links between source and destination and select the smallest MTU in this route, assuming there is a unique route. This way we make sure that the fragmentation is done by the sender, using a packet-size smaller than the selected MTU, and there is no further fragmentation en route. This solution, called [[Path MTU Discovery]], allows a sender to fragment/segment a long [[Internet]] [[packet (information technology)|packet]], rather than relying on routers to perform IP-level fragmentation. This is more efficient and more scalable. It is therefore the recommended method in the current Internet. The problem with this approach is that each packet is routed independently; they may well typically follow the same route, but they may not, and so a probe packet to determine fragmentation may follow a path different from paths taken by later packets.
33 6.939453 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=47360)
The second packet details:
! style="width:2.6%;"| 11
! style="width:2.6%;"| 16
{{refimprove|date=April 2014}}
| colspan="3"|[[IPv4#Flags|Flags]]
! 12
'''IP fragmentation attacks''' are a kind of [[cyberattack|computer security attack]] based on how the [[Internet Protocol]] (IP) requires data to be transmitted and processed. Specifically, it invokes [[IP fragmentation]], a process used to partition messages (the [[service data unit]] (SDU); typically a [[network packet|packet]]) from one layer of a network into multiple smaller [[payload (computing)|payload]]s that can fit within the lower layer's [[protocol data unit]] (PDU). Every network link has a maximum size of [[data frame|messages]] that may be transmitted, called the [[maximum transmission unit]] (MTU). If the SDU plus metadata added at the link layer exceeds the MTU, the SDU must be fragmented. IP fragmentation attacks exploit this process as an [[attack vector]].
}}
; IP fragment incomplete packet: This exploit occurs when a [[network packet|packet]] can not be fully reassembled due to missing data. This can indicate a denial of service attack or an attempt to defeat packet filter security policies.
Sequence number: 0x0200
! 20
* To set the IP [[network packet|packet]] size equal or smaller than the directly attached medium and delegate all further fragmentation of packets to routers, meaning that routers decide if the current packet should be re-fragmented or not. This offloads a lot of work on to routers, and can also result in packets being segmented by several IP routers one after another, resulting in very peculiar fragmentation.
* RFC 791
! style="width:2.6%;"| 6
| colspan="32"|[[IPv4#Source address|Source IP Address]]
! 64
! style="width:2.6%;"| 17
| colspan="32" rowspan="4" |[[IPv4#Options|Options]] (if IHL > 5)
; IP Fragment Too Small: If an IP fragment is too small it indicates that the fragment is likely intentionally crafted. Any fragment other than the final fragment that is less than 400 bytes could be considered too small. Small fragments may be used in denial of service attacks or in an attempt to bypass security measures or detection.
! style="width:2.6%;"| 4
20 6.615234 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=28120)
This can be accomplished by several approaches:
! style="width:2.6%;"| 13
! Bit
|-
Code: 0
! style="width:2.6%;"| 20
| colspan="32"|[[IPv4#Destination address|Destination IP Address]]
! style="width:2.6%;"| 14
: A 3 bit field which says if the packet is a part of a fragmented [[data frame]] or not.
! style="width:2.6%;"| 19
<!-- The terminal command doesn't work for BASH on Darwin. -->
! style="width:2.6%;"| 15
! style="width:2.6%;"| 5
! style="width:2.6%;"| 9
! 32
{{Use American English|date = April 2019}}
34 6.958984 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=48840)
16 6.455078 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=22200)
{{reflist}}
| colspan="8"|[[IPv4#Protocol|Protocol]]
Internet Protocol, Src: 87.247.163.96 (87.247.163.96), Dst: 66.94.234.13 (66.94.234.13)
5 6.123046 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=5920)
! style="width:2.6%;"| 31
== Exploits ==
! style="width:2.6%;"| 26
|-
Data (1480 bytes)
== References ==
22 6.659179 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=31080)
No. Time Source Destination Protocol Info
39 7.090820 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=56240)
! style="width:2.6%;"| 12
; IP fragmentation buffer full: The IP fragmentation buffer full exploit occurs when there is an excessive amount of incomplete fragmented traffic detected on the protected network. This could be due to an excessive number of incomplete fragmented [[network packet|packets]], a large number of fragments for individual [[network packet|packets]] or a combination of quantity of incomplete [[network packet|packets]] and size/number of fragments in each [[network packet|packet]]. This type of traffic is most likely an attempt to bypass security measures or [[Intrusion Detection Systems]] by intentional fragmentation of attack activity.
! style="width:2.6%;"| 23
! 0
Internet Control Message Protocol
| colspan="13"|[[IPv4#Fragment Offset|Fragment Offset]]
30 6.850586 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=42920)
28 6.806640 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=39960)
! style="width:2.6%;"| 22
! ''Offsets''
|-
36 7.023437 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=51800)
* RFC 1858
! 32
|-
13 6.371093 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=17760)
! style="width:2.6%;"| 0
! style="width:2.6%;"| 25
! 8
38 7.067382 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=54760)
7 6.170898 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=8880)
Fragment Offset specifies the fragment's position within the original packet, measured in 8-byte units.
37 7.046875 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=53280)
Data (1472 bytes)
2 0.000000 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=1480)
|}
! style="width:2.6%;"| 27
! 0
41 7.151367 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=59200)
! style="width:2.6%;"| 18
Two important points here:
Checksum: 0x6b7d
|-
| colspan="4"|[[IPv4#IHL|IHL]]
</code>
According to [Kurose 2013], in one type of IP fragmentation attack "the attacker sends a stream of small fragments to the target host, none of which has an offset of zero. The target can collapse as it attempts to rebuild datagrams out of the degenerate packets."<ref name=":0">{{Cite book|title=Computer Networking: A Top-down Approach|last=Kurose|first=James F.|date=2013|publisher=Pearson|others=Ross, Keith W., 1956-|isbn=9780132856201|edition=6th|___location=Boston|pages=338|oclc=769141382}}</ref> Another attack involves sending overlapping fragments with non-aligned offsets, which can render vulnerable operating systems not knowing what to do, causing some to crash.<ref name=":0" />
9 6.239257 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=11840)
| colspan="16"|[[IPv4#Total Length|Total Length]]
== Fragmentation for evasion ==
! style="width:2.6%;"| 29
! [[Bit]]
{{technical|date=April 2014}}
18 6.550781 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=25160)
45 7.258789 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=65120)
Frame 1 (1514 bytes on wire, 1514 bytes captured)
12 6.327148 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=16280)
! 4
! style="width:2.6%;"| 28
! style="width:2.6%;"| 21
{| class="wikitable" style="margin: 0 auto; text-align: center;"
23 6.682617 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=32560)
[[Category:Internet security]]
11 6.302734 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=14800)
! 28
Flags:
! style="width:2.6%;"| 1
|-
Ethernet II, Src: OmronTat_00:00:00 (00:00:0a:00:00:00), Dst: 40:0f:20:00:0c:00 (40:0f:20:00:0c:00)
25 6.743164 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=35520)
! 96
<!-- This example is way too long and messy -->
35 6.983398 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=50320)
! 24
! colspan="8" | 3
: Bit 1: (AF) 0 = May Fragment, 1 = Don't Fragment.
! 16
| 0 || DF || MF || colspan="13" | Fragment Offset
| colspan="16"|[[IPv4#Header Checksum|Header Checksum]]
| colspan="4"|[[IPv4#Version|Version]]
44 7.214843 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=63640)
: Bit 2: (AF) 0 = Last Fragment, 1 = More Fragments.
Network infrastructure equipment such as [[Router (computing)|routers]], [[Load balancing (computing)|load-balancers]], [[Firewall (computing)|firewalls]] and [[Intrusion detection system|IDS]] have inconsistent visibility into fragmented packets. For example, a device may subject the initial fragment to rigorous inspection and auditing, but might allow all additional fragments to pass unchecked. Some attacks may use this fact to evade detection by placing incriminating payload data in fragments. Devices operating in [[Proxy server|"full" proxy mode]] are generally not susceptible to this subterfuge.
The source system sets "Identification" field in each [[network packet|packet]] to a unique value for all [[network packet|packets]] which use the same source IP address, destination IP address, and "Protocol" values, for the lifetime of the [[network packet|packet]] on the internet. This way the destination can distinguish which incoming fragments belong to a unique [[network packet|packet]] and buffer all of them until the last fragment is received. The last fragment sets the "More Fragment" bit to 0 and this tells the receiving station to start reassembling the data if all fragments have been received.
| |||