IP fragmentation attacks
Encyclopedia
IP fragmentation is the process of breaking up a single Internet Protocol
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...

 (IP) datagram
Datagram
A datagram is a basic transfer unit associated with a packet-switched network in which the delivery, arrival time, and order are not guaranteed....

 into multiple packets of smaller size. Every network link has a characteristic size of messages
Data frame
In computer networking and telecommunication, a frame is a digital data transmission unit or data packet that includes frame synchronization, i.e. a sequence of bits or symbols making it possible for the receiver to detect the beginning and end of the packet in the stream of symbols or bits...

 that may be transmitted, called the maximum transmission unit
Maximum transmission unit
In computer networking, the maximum transmission unit of a communications protocol of a layer is the size of the largest protocol data unit that the layer can pass onwards. MTU parameters usually appear in association with a communications interface...

 (MTU).

Part of the TCP/IP suite is the Internet Protocol (IP) which resides at the Internet Layer
Internet layer
The internet layer or IP layer is a group of internetworking methods in the Internet protocol suite, commonly also called TCP/IP, which is the foundation of the Internet...

 of this model. IP is responsible for the transmission of packets between network end points. IP includes some features which provide basic measures of fault-tolerance (time to live, checksum), traffic prioritization (type of service) and support for the fragmentation of larger packets into multiple smaller packets (ID field, fragment offset). The support for fragmentation of larger packets provides a protocol allowing routers to fragment a packet into smaller packets when the original packet is too large for the supporting datalink frames. IP fragmentation exploits (attacks) use the fragmentation protocol within IP as an attack vector.

Fragmentation process

IP datagrams are encapsulated in datalink frames, and, therefore, the link MTU affects larger IP datagram
Datagram
A datagram is a basic transfer unit associated with a packet-switched network in which the delivery, arrival time, and order are not guaranteed....

s and forces them to be split into pieces equal to or smaller than the MTU size.

This can be accomplished by several approaches:
  • To set the IP datagram size equal or smaller than the directly attached medium (in our case 802.3) and delegate all further fragmentation of datagrams to routers, meaning that routers decide if the current datagram should be re-fragmented or not. This offloads a lot of work on to routers, and can also result in packets being segmented by several IP routers one after another, resulting in very peculiar fragmentation.
  • To preview all links between source and destination and select the smallest MTU in this route, assuming there is a unique route. This way we make sure that the fragmentation is done by the sender, using a packet-size smaller than the selected MTU, and there is no further fragmentation en-route. This solution, called Path MTU Discovery
    Path MTU discovery
    Path MTU Discovery is a standardized technique in computer networking for determining the maximum transmission unit size on the network path between two Internet Protocol hosts, usually with the goal of avoiding IP fragmentation...

    , allows a sender to fragment/segment a long Internet
    Internet
    The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...

     packet, rather than relying on routers to perform IP-level fragmentation. This is more efficient and more scalable. It is therefore the recommended method in the current Internet. The problem with this approach is that each packet is routed independently; they may well typically follow the same route, but they may not, and so a probe packet to determine fragmentation may follow a path different from paths taken by later packets.


Three fields in the IP header are used to implement fragmentation and reassembly. The "Identification", "Flags" and "Fragment Offset" fields.


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL | Differentiative Services | Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification | Flags | Fragment Offset |<--
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+


Flags:
A 3 bit field which says if the datagram is a part of a fragmented data frame
Data frame
In computer networking and telecommunication, a frame is a digital data transmission unit or data packet that includes frame synchronization, i.e. a sequence of bits or symbols making it possible for the receiver to detect the beginning and end of the packet in the stream of symbols or bits...

 or not.

Bit 0: reserved, must be zero (unless datagram is adhering to RFC 3514)
Bit 1: (AF) 0 = May Fragment, 1 = Don't Fragment.
Bit 2: (AF) 0 = Last Fragment, 1 = More Fragments.



0 1 2 13 bits
+---+---+---+ +-----------------------------+
| | D | M | | Fragment Offset |
| 0 | F | F | +-----------------------------+
+---+---+---+


Fragment Offset specifies the fragment's position within the original Datagram, measured in 8-byte units.

Accordingly, every fragment except the last must contain a multiple of 8 bytes of data. It is obvious that Fragment Offset can hold 8192 (2^13) units but the datagram
Datagram
A datagram is a basic transfer unit associated with a packet-switched network in which the delivery, arrival time, and order are not guaranteed....

 can't have 8192 * 8 = 65536 bytes of data because "Total Length" field of IP
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...

 header records the total size including the header and data. An IP header is at least 20 bytes long, so the maximum value for "Fragment Offset" is restricted to 8189, which leaves room for 3 bytes in the last fragment.

Because an IP internet can be connectionless, fragments from one datagram may be interleaved with those from another at the destination. The "Identification field" uniquely identifies the fragments of a particular datagram
Datagram
A datagram is a basic transfer unit associated with a packet-switched network in which the delivery, arrival time, and order are not guaranteed....

.

The source system sets "Identification" in each datagram to a unique value for all datagrams using the same source IP address, destination IP address, and "Protocol" values for the lifetime of the datagram on the internet. This way the destination can distinguish which incoming fragments belong to a unique datagram and buffer all of them until the last fragment received. The last fragment sets the "More Fragment" bit to 0 and this tells the receiving station to start reassembling the data if all fragments have been received.

The following is a real-life fragmentation example:

The following was obtained using the Ethereal
Wireshark
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education...

 protocol analyzer to capture ICMP
Internet Control Message Protocol
The Internet Control Message Protocol is one of the core protocols of the Internet Protocol Suite. It is chiefly used by the operating systems of networked computers to send error messages indicating, for example, that a requested service is not available or that a host or router could not be...

 echo request
Ping
Ping is a computer network administration utility used to test the reachability of a host on an Internet Protocol network and to measure the round-trip time for messages sent from the originating host to a destination computer...

 packets. To simulate this open up a terminal and type ping ip_dest -n 1 -l 65000.

The results are as follows:

No. Time Source Destination Protocol Info
1 0.000000 87.247.163.96 66.94.234.13 ICMP Echo (ping) request
2 0.000000 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=1480)
3 0.002929 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=2960)
4 6.111328 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=4440)
5 6.123046 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=5920)
6 6.130859 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=7400)
7 6.170898 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=8880)
8 6.214843 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=10360)
9 6.239257 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=11840)
10 6.287109 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=13320)
11 6.302734 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=14800)
12 6.327148 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=16280)
13 6.371093 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=17760)
14 6.395507 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=19240)
15 6.434570 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=20720)
16 6.455078 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=22200)
17 6.531250 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=23680)
18 6.550781 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=25160)
19 6.575195 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=26640)
20 6.615234 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=28120)
21 6.634765 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=29600)
22 6.659179 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=31080)
23 6.682617 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=32560)
24 6.699218 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=34040)
25 6.743164 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=35520)
26 6.766601 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=37000)
27 6.783203 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=38480)
28 6.806640 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=39960)
29 6.831054 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=41440)
30 6.850586 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=42920)
31 6.899414 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=44400)
32 6.915039 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=45880)
33 6.939453 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=47360)
34 6.958984 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=48840)
35 6.983398 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=50320)
36 7.023437 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=51800)
37 7.046875 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=53280)
38 7.067382 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=54760)
39 7.090820 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=56240)
40 7.130859 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=57720)
41 7.151367 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=59200)
42 7.174804 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=60680)
43 7.199218 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=62160)
44 7.214843 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=63640)
45 7.258789 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=65120)

The first packet details:
No.Time Source Destination Protocol Info
1 0.000000 87.247.163.96 66.94.234.13 ICMP Echo (ping) request

Frame 1 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: OmronTat_00:00:00 (00:00:0a:00:00:00), Dst: 40:0f:20:00:0c:00 (40:0f:20:00:0c:00)
Internet Protocol, Src: 87.247.163.96 (87.247.163.96), Dst: 66.94.234.13 (66.94.234.13)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0x6b7d
Identifier: 0x0600
Sequence number: 0x0200
Data (1472 bytes)

The second packet details:
No. Time Source Destination Protocol Info
2 0.000000 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=1480)

Frame 2 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: OmronTat_00:00:00 (00:00:0a:00:00:00), Dst: 40:0f:20:00:0c:00 (40:0f:20:00:0c:00)
Internet Protocol, Src: 87.247.163.96 (87.247.163.96), Dst: 66.94.234.13 (66.94.234.13)
Data (1480 bytes)



Note that only the first fragment contains the ICMP header and all remaining fragments are generated without the ICMP header.

Two important points here:
  • In some datalink protocols such as Ethernet, only the first fragment contains the full upper layer header, meaning that other fragments look like beheaded datagrams.
  • Additional overhead imposed over network because all fragments contains their own IP header. Additional overhead = (number_of_fragments - 1) * (ip_header_len);

IP fragment overlapped

The IP fragment overlapped exploit
Exploit
Exploit can mean:*Exploit *Exploit *Exploit *Exploit *Exploit, a 2009 Adobe Flash game by Gregory Weir*The Exploits River, the longest river on the island of Newfoundland-See also:...

 occurs when two fragments contained within the same IP datagram have offsets that indicate that they overlap each other in positioning within the datagram. This could mean that either fragment A is being completely overwritten by fragment B, or that fragment A is partially being overwritten by fragment B. Some operating systems do not properly handle fragments that overlap in this manner and may throw exceptions or behave in other undesirable ways upon receipt of overlapping fragments. This is the basis for the teardrop Denial of service attacks.

IP fragmentation buffer full

The IP fragmentation buffer full exploit occurs when there is an excessive amount of incomplete fragmented traffic detected on the protected network. This could be due to an excessive number of incomplete fragmented datagrams, a large number of fragments for individual datagrams or a combination of quantity of incomplete datagrams and size/number of fragments in each datagram. This type of traffic is most likely an attempt to bypass security measures or Intrusion Detection Systems by intentional fragmentation of attack activity.

IP fragment overrun

The IP Fragment Overrun exploit is when a reassembled fragmented datagram exceeds the declared IP data length or the maximum datagram length. By definition, no IP datagram should be larger than 65,535 bytes. Systems that try to process these large datagrams can crash, and can be indicative of a denial of service attempt.

IP fragment overwrite

Overlapping fragments may be used in an attempt to bypass Intrusion Detection Systems. In this exploit, part of an attack is sent in fragments along with additional random data; future fragments may overwrite the random data with the remainder of the attack. If the completed datagram is not properly reassembled at the IDS, the attack will go undetected.

IP fragment too many datagrams

The Too Many Datagrams exploit is identified by an excessive number of incomplete fragmented datagrams detected on the network. This is usually either a denial of service attack or an attempt to bypass security measures. An example of "Too Many Datagrams", "Incomplete Datagram" and "Fragment Too Small" is the Rose Attack.

IP fragment incomplete datagram

This exploit occurs when a datagram can not be fully reassembled due to missing data. This can indicate a denial of service attack or an attempt to defeat packet filter security policies.

IP fragment too small

An IP Fragment Too Small exploit is when any fragment other than the final fragment is less than 400 bytes, indicating that the fragment is likely intentionally crafted. Small fragments may be used in denial of service attacks or in an attempt to bypass security measures or detection.
The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK