Fragmentation
-------------
-------------
Why does fragmentation occur? Fragmentation happens when an IP datagram has
to travel through a network with a maximum transmission unit (MTU) that is
to travel through a network with a maximum transmission unit (MTU) that is
smaller than the size of the IP datagram. Thus, if I send an IP datagram
that is bigger than 1500 bytes to an Ethernet network, the datagram needs to be
fragmented. The packets are then assembled at the receiving host.
Fragmentation can either at the originating sending host or at an intemediate router.
that is bigger than 1500 bytes to an Ethernet network, the datagram needs to be
fragmented. The packets are then assembled at the receiving host.
Fragmentation can either at the originating sending host or at an intemediate router.
How are the packets reassembled? Note that with IP fragmentation, packets are not
reassembled until they reach the final destination. It is reassemled at the IP layer
at the receiving end. This is make fragmentation and reassembly transparent to the
protocol layer (TCP and UDP). If one of the packets is lost, the whole packets needs
to be transmitted again.
reassembled until they reach the final destination. It is reassemled at the IP layer
at the receiving end. This is make fragmentation and reassembly transparent to the
protocol layer (TCP and UDP). If one of the packets is lost, the whole packets needs
to be transmitted again.
Packets are reassembled at the receiving host
by associating each fragment with an identical fragment identification number,
or frag id for short. The frag ID is actually a copy of the ID field (IP
identification number) in the IP header. Besides that, each fragment must
carry its "position" or "offset" in the original unfragmented packet. Thus
the first fragment will have an offset of 0, since its seat is at the front
row and counting starts from 0. Each fragments must also tell the length of
data that it carries. This is like the compartments in a train. And finally,
each fragment must flag the MF (more fragments) bit if it is not the last
fragment.
by associating each fragment with an identical fragment identification number,
or frag id for short. The frag ID is actually a copy of the ID field (IP
identification number) in the IP header. Besides that, each fragment must
carry its "position" or "offset" in the original unfragmented packet. Thus
the first fragment will have an offset of 0, since its seat is at the front
row and counting starts from 0. Each fragments must also tell the length of
data that it carries. This is like the compartments in a train. And finally,
each fragment must flag the MF (more fragments) bit if it is not the last
fragment.
Fragmenting a Packet
--------------------
--------------------
Here is a hypothetical example. Suppose that we want to send a 110 bytes ICMP
packet on a network with MTU of 40 (well that's damn small, but this is for
illustration purposes). This is a diagram of the original packet:
packet on a network with MTU of 40 (well that's damn small, but this is for
illustration purposes). This is a diagram of the original packet:
+--------+--------+---------------------------------+
| IP | ICMP | Data |
| header | header | |
+--------+--------+---------------------------------+
20 8 82 (bytes)
| IP | ICMP | Data |
| header | header | |
+--------+--------+---------------------------------+
20 8 82 (bytes)
The packet will be fragmented as shown below.
+----------------+----------+-----------+
Packet 1 | IP header (20) | ICMP (8) | Data (12) | ID=88, Len=20, Off=0, MF=1
+----------------+----------+-----------+
Packet 2 | IP header (20) | Data (20) | ID=88, Len=20, Off=20, MF=1
+---------------------------------------+
Packet 3 | IP header (20) | Data (20) | ID=88, Len=20, Off=40, MF=1
+---------------------------------------+
Packet 4 | IP header (20) | Data (20) | ID=88, Len=20, Off=60, MF=1
+----------------------------+----------+
Packet 5 | IP header (20) | Data (10) | ID=88, Len=10, Off=80, MF=0
+----------------------------+
Packet 1 | IP header (20) | ICMP (8) | Data (12) | ID=88, Len=20, Off=0, MF=1
+----------------+----------+-----------+
Packet 2 | IP header (20) | Data (20) | ID=88, Len=20, Off=20, MF=1
+---------------------------------------+
Packet 3 | IP header (20) | Data (20) | ID=88, Len=20, Off=40, MF=1
+---------------------------------------+
Packet 4 | IP header (20) | Data (20) | ID=88, Len=20, Off=60, MF=1
+----------------------------+----------+
Packet 5 | IP header (20) | Data (10) | ID=88, Len=10, Off=80, MF=0
+----------------------------+
ID - IP identification number
Len - Data Length (data length does not include IP header)
Off - Offset
MF - More Fragment
Notice that the second packet and subsequent packets contains IP header that
is copied from the original packet. There are no ICMP headers, except in the
first packet. In a nutshell, the 110 ICMP packet is broken into 5 packet,
with total lengths of 40, 40, 40, 40 and 30 bytes each. The ICMP data is
broken into lengths of 12, 20, 20, 20, and 10 bytes each.
is copied from the original packet. There are no ICMP headers, except in the
first packet. In a nutshell, the 110 ICMP packet is broken into 5 packet,
with total lengths of 40, 40, 40, 40 and 30 bytes each. The ICMP data is
broken into lengths of 12, 20, 20, 20, and 10 bytes each.
Using tcpdump, the packet logs will look like this:
3l337.com > l4m3r.com: icmp: echo request (frag 88:20@0+)
3l337.com > l4m3r.com: (frag 88:20@20+)
3l337.com > l4m3r.com: (frag 88:20@40+)
3l337.com > l4m3r.com: (frag 88:20@60+)
3l337.com > l4m3r.com: (frag 88:20@80)
3l337.com > l4m3r.com: (frag 88:20@20+)
3l337.com > l4m3r.com: (frag 88:20@40+)
3l337.com > l4m3r.com: (frag 88:20@60+)
3l337.com > l4m3r.com: (frag 88:20@80)
Notice anything yet? Attackers, here is the catch. The second packet does not
contain what type of ICMP packet it is. Only the first packet contains the
ICMP code. For the subsequent packets, we can determine that it is an ICMP
packet because the IP header is there. This type of fragmented packet can
easily beat a stateless router, firewall or IDS. An example would be a
stateless packet filter that blocks inbound ICMP echo request. Upon seeing the
first packet, it will drop it, whereas the rest of the packets creep in
successfully.
contain what type of ICMP packet it is. Only the first packet contains the
ICMP code. For the subsequent packets, we can determine that it is an ICMP
packet because the IP header is there. This type of fragmented packet can
easily beat a stateless router, firewall or IDS. An example would be a
stateless packet filter that blocks inbound ICMP echo request. Upon seeing the
first packet, it will drop it, whereas the rest of the packets creep in
successfully.
How to Discover MTU?
--------------------
--------------------
It is very easy to detect the MTU of a particular network. Just send various
sizes of ICMP echo requests to the target network with the don't fragment (DF)
bit set. If the packet exceeds the MTU, the receiving end will return with
an ICMP error "fragmention needed but don't fragment bit set" message. Lower the size of
the packet, and keep sending until you don't get any ICMP error messages. Available tools
like traceroute and nemesis can be modified and used to discover MTUs.
sizes of ICMP echo requests to the target network with the don't fragment (DF)
bit set. If the packet exceeds the MTU, the receiving end will return with
an ICMP error "fragmention needed but don't fragment bit set" message. Lower the size of
the packet, and keep sending until you don't get any ICMP error messages. Available tools
like traceroute and nemesis can be modified and used to discover MTUs.
Funky Frags
--------------
--------------
So what sorts of things that we can do with fragmented packets? Well, denial
of service of course. One fine example is to send fragmented packets to a
packet filter that drops inbound ICMP echo request. The rest of the packets
will get in, and the upon receiving the packets without the initial fragment,
the receiving host will pening kepala doing reassembly.
of service of course. One fine example is to send fragmented packets to a
packet filter that drops inbound ICMP echo request. The rest of the packets
will get in, and the upon receiving the packets without the initial fragment,
the receiving host will pening kepala doing reassembly.
And how about sending fragmented packets will identical offsets? This will be
a basis for a denial of service as well.
a basis for a denial of service as well.
Another cool Denial of Service attack is Teardrop. Teardrop works
by sending packets with odd offset. For example, my first offset is 0, and data
length is 40. The next packet's data length is 10, and offset 20. This is a
headache to the host because in order to reassemble this packet, it has to
rewind back by 20. Old and unpatched operating system does not deal with
negative numbers well, and negatives numbers can translate to very large
positive numbers.
length is 40. The next packet's data length is 10, and offset 20. This is a
headache to the host because in order to reassemble this packet, it has to
rewind back by 20. Old and unpatched operating system does not deal with
negative numbers well, and negatives numbers can translate to very large
positive numbers.
Another attack that used fragmentation effectively is the Ping of Death. Ping
of Death works by sending a very large echo packet (65535 bytes) which is
fragmented and reassembled at the receiving end. The last packet however, is
crafted in such a way that the offset plus data length is greater than 65535.
This will cause a possible internal overflow of 16-bit internal variable on
the system, resulting in blue screen of death, reboot, etc.
of Death works by sending a very large echo packet (65535 bytes) which is
fragmented and reassembled at the receiving end. The last packet however, is
crafted in such a way that the offset plus data length is greater than 65535.
This will cause a possible internal overflow of 16-bit internal variable on
the system, resulting in blue screen of death, reboot, etc.
Last but not least, a denial of service on routers can be also be done by never
sending the last fragment - just keep on sending packets with the promise of
more fragments (MF bit set). The router, in the hope of receiving more packets
for reassembly, will not timeout. Sooner or later, it will become overloaded.
Of course, you can also try to send fragmented packets to the router without
the initial first fragment.
sending the last fragment - just keep on sending packets with the promise of
more fragments (MF bit set). The router, in the hope of receiving more packets
for reassembly, will not timeout. Sooner or later, it will become overloaded.
Of course, you can also try to send fragmented packets to the router without
the initial first fragment.
Another trick is to send fragmented TCP headers to the target source to avoid
detection. NMAP for example, can send fragmented SYN packet in multiple
fragments.
detection. NMAP for example, can send fragmented SYN packet in multiple
fragments.
Summary
Ref:https://news.hitb.org/content/understanding-ip-fragmentation
https://stackoverflow.com/questions/15999739/ip-fragmentation-and-reassembly
why udp not bothered about fragmentation:
UDP is a datagram protocol where each packet means a single entity, independent of the other packets (UDP does not detected duplication, reordering etc). TCP instead is a stream protocol, that is the whole transfer consists of a single unstructured octet stream similar to a large file. To make the transfer of this stream more efficient it makes sense to detect the MTU of the connection and try to send mostly packets which max out this MTU, thus reducing the overhead of the transfer. To further reduce the overhead TCP will merge multiple consecutive writes into as few packets (with max MTU) as possible.
Ref: https://stackoverflow.com/questions/28547248/why-udp-does-not-employ-the-path-mtu
https://notes.shichao.io/tcpv1/ch10/
No comments:
Post a Comment