I want to ask about 2 thingsa i saw in the security log:
a)Blocked ip becasue of a fragmented UDP packet thats is not allowes.
What is a fragmnetd ip packet? A tcp packet split in 2 for example? and why its allowed?
b) Fake or Malformed UDP Packet Blocked
UDP packet length and the size on the wire (1522 bytes) do NOT match.
Plz explain as simeple as you can about both security blocked issues cause i try to understand whats happening.
Greetings,
a) IP fragmentation relies on the reconstruction of the TCP packet to determine if the packet arrived successfully (if you drop a fragmented IP packet, the TCP packet will not reconstruct and so a NAK will be sent for that TCP packet). The reason that the data MAY be split twice is simple. You have no way of knowing a priori what the restrictions are for the network layer beyond your LAN. Therefore, TCP will create packets that meet TCP packet limitations and IP packet limitations on your LAN.
If you pass through a network that has IP limitations that are more stringent than yours, the network equipment will split (fragment) your IP packet into two or more IP packets, each containing a portion of your TCP payload. If, on the other end of your connection, the TCP packet is not completely reconstructed (that is why it has both a length and a CRC) then the receiver will send a NAK (Not Acknowledged) packet back to your system which will reissue the same TCP packet, and follow the same process (probably). It is highly unusual to see a fragmented IP packet on a LAN, since there are not any transmission systems involved that would require differing MTU (Maximum Transmission Unit) sizes.
The three-way handshake of TCP is only to provide a “connection oriented” protocol, not for reliable (not secure) data transport. It is the sequence numbering and ACK/NAK protocol that provides reliable data transport.
Attackers create artificially fragmented packets in order to circumvent firewalls that do not perform packet reassembly. These only consider the properties of each individual fragment, and let the fragments through to final destination. One such attack involving fragments is known as the tiny fragment attack.
Two TCP fragments are created. The first fragment is so small that it does not even include the full TCP header, particularly the destination port number. The second fragment contains the remainder of the TCP header, including the port number. Another such type of malicious fragmentation involves fragments that have illegal fragment offsets.
Futhermore…
A fragment offset value gives the index position of this fragment’s data in a reassembled packet. The second fragment packet contains an offset value, which is less than the length of the data in the first packet. E.g…
If the first fragment was 24 bytes long, the second fragment may claim to have an offset of 20. Upon reassembly, the data in the second fragment overwrites the last four bytes of the data from the first fragment. If the unfragmented packet were TCP, then the first fragment would contain the TCP header overwriting the destination port number.
Thanks,
rki.
b)Some firewalls configuration can be remotely changed through the Internet, when a Malicious user could generate fake control packets to make the firewall perform in the wrong way or get knowledge of our firewall rules.
Today to provide better security, two popular block cryptographic algorithms (3DES and AES) are implemented to decrypt control packets.
For protection from the UDP flood attack, the source IP address of all the UDP packets sent to firewall`s IP address will be changed. C.O.M.O.D.O Personal Firewall will detect when a UDP packet reaches the destination and can not be delivered to any application by listening for ICMP port unreachable packets. Once detect, C.O.M.O.D.O Personal Firewall will be updated to block additional packets. Additional UDP packet going to the same destination/port pair will then be dropped.
There are several common attack methods known by the Internet community. They are divided into two main categories: flood attacks and malformed packet attacks:
But, since your question is regarding “malformed packet attacks”, then I will skip the “flood attacks” part for now.
The malformed packet attack is another wide-spread type of DoS attack. The purpose of this attack is to send ill-formed packets to hosts and take advantage of the bad design of the code that processes the packets. Effects range from unacceptable degradation of performance to system
crashes.
There’re several malformed packet attacks:
Ping of Death Attack consists of sending an ICMP echo packet that is much larger than the maximum IP packet size (64 Kbytes). At destination, some TCP/IP implementations fail to
reconstruct the packet, crashing or rebooting the system.
Chargen Attack. This is a variant of the UDP Flood Attack and uses the port 19 (chargen) of an intermediary system used as an amplifier. The attacker sends a forged UDP packet on port 19 of the intermediary system which in turn replies with a string of characters back to the victim, on its echo service port. The victim then sends back an echo of the string and the loop created rapidly exhausts the bandwidth between the victim and the intermediary system.
Teardrop Attack. Due to poor implementation, some systems fail to correctly cope with packet
fragments that have incorrect offsets, making proper reassembly impossible. Instead of gracefully
discarding the packets, the implementations in question simply reboot or halt the system.
Land Attack. Astoundingly, some systems crash or reboot when they encounter a forged packet which contains the same address as both the origin and the destination.
Win Nuke Attack. This type of attack is specifically targeted against Windows machines to
which attackers send out-of-band data to a specific port, causing the system to crash or reboot.
Thanks,
rki.
Thanks rki, I didn’t know that.
I see. But why the UDP packet fragmentation is not allowew since fragmentaton is somethign unavoidable as packet travles through many transmission systems?
How do people generate false TCP packets? I mean the OS has a standard typical of creating a packet.
How would for example create a packet that lakcs destination port in header?
How does the OS allows such a thing?
Greetings,
If a packet is larger than the TCP MSS (Maximum Segment Size) or MTU (Maximum Transmission Unit), the only way for the packet to reach its endpoint is to be fragmented, While there are legitimate reasons why a packet is fragmented, it can also be exploited.
Since only the first fragment of a fragmented packet contains a header, it is impossible to for packet filters to examine additional packet fragments without doing fragment reassembly. Typical attacks involve in overlapping the packet data in which packet header is normal until it is overwritten with different destination IP (or port) thereby bypassing firewall rules.
Fragmented packets can also used as part of “DOS attacks” to crash older IP stacks or by saturating the link/CPU load.
The connection tracking code in Netfilter/Iptables[Firewalls] automatically does fragment reassembly. It is however still vulnerable to link/CPU load saturation attacks.
In the IP layer implementations of nearly all OS[Operating System], there are bugs in the reassembly code. An attacker can create and send a pair of carefully crafted but malformed IP packets that in the process of reassembly cause a server to panic and crash. The receiving host attempts to reassemble such a packet, it calculates a negative length for the second fragment. This value is passed to a function (such as memcpy ()), which should do a copy from/ to memory, which takes the negative number to be an enormous unsigned (positive) number.
Another type of attack involves sending fragments that if reassembled will be an abnormally large packet, larger than the maximum permissible length for an IP packet. The attacker hopes that the receiving host will crash while attempting to reassemble the packet.
The Ping of Death used this attack. It creates an ICMP echo request packet, which is larger than the maximum packet size of 65,535 bytes.
Thanks,
rki
The reason for fragmenting packets is that if in its way one get slost then the sender will only have to send only this small lost packet instead of a bigger one? And if yes, what determined how small a packet can be and why not all network implementations doesnt support the same MTU?
As for your example why when a packet gets fragmented only the 1st fragment holds the TCP header while the 2nd the data portion?
I thought that even if a packet gets splitted every part of it should contain the neccessary header info like src ip, scr port, dst ip, dst port.
Can you plz explain and give a more detailed example? thank you!
[quote=“rki
In the IP layer implementations of nearly all OS[Operating System”]
, there are bugs in the reassembly code. An attacker can create and send a pair of carefully crafted but malformed IP packets that in the process of reassembly cause a server to panic and crash. The receiving host attempts to reassemble such a packet, it calculates a negative length for the second fragment. This value is passed to a function (such as memcpy ()), which should do a copy from/ to memory, which takes the negative number to be an enormous unsigned (positive) number.
[/quote]
Neat trick! They hack their way in by taking advantage of the flaws in the security code!
Its like asking for a user to type his name in a c++ app waiting to hold the value in a alpha string and the user instead of char sends number, so the app dont knwo what to do with it and crashed.
Why you say it calculates a negative size length since the 2nd fragment has also data in it?
Greetings,
It is not possible to select a particular IP datagram size to always avoid fragmentation, as the MTU for different transmission It is possible, though, for a given path to choose a size that will not lead to fragmentation. This is called Path MTU Discovery. The TCP transport protocol tries to avoid fragmentation using the Maximum Segment Size (MSS) option.
The minimum size of an IP fragment is the minimum size of an IP header plus eight data bytes. Most firewall-type devices will drop an initial IP fragment (offset 0) that does not contain enough data to hold the transport headers. In other words, the IP fragment normally need 20 octets of data in addition to the IP header in order to get through a firewall if offset is 0.
The size of an IP datagram fragment is limited by;
The amount of remaining data in the original IP datagram , the MTU of the network and must be a multiple of 8, except for the final fragment.
IP datagram fragmented[How]
Here’s an example of where an IP datagram is fragmented into two. This same algorithm can be used to fragment the datagram into ‘n’ fragments.
The IP layer creates two new IP datagrams, whose length satisfies the requirements of the network in which the original datagram is going to be sent.
The IP header from the original IP datagram is copied to the two new datagrams.
The data in the original IP datagram is divided into two on an 8 byte boundary. The number of 8 byte blocks in the first portion is called Number of Fragment Blocks (NFB).
The first portion of the data is placed in the first new IP datagram.
The length field in the first new IP datagram is set to the length of the first datagram.
The fragment offset field in the first IP datagram is set to the value of that field in the original datagram.
The “more fragments” field in the first IP datagram is set to one.
The second portion of the data is placed in the second new IP datagram.
The length field in the second new IP datagram is set to the length of the second datagram.
The “more fragments” field in the second IP datagram is set to the same value as the original IP datagram.
The fragment offset field in the second IP datagram is set to the value of that field in the original datagram plus NFB.
When an IP fragmentation occurs, the IP header fields[Total Length, Header Length, More Fragments Flag, Fragment Offset, Header Checksum, Options] are changed.
Thanks,
rki.
Hey RKI,
Dude, we bow before thee!
Great post, very well written and VERY comprehensible.
Ewen 
Just wondering…
RKI, are these comments your own or are you quoting others? I’m not trying to insult you or start a flame war; it’s just that this information sounds very familiar. If you are quoting from other sources it is good practice to provide credit to those sources/authors…especially if those other sources are copyrighted material.
Hello krispy.
No, I’m not quoting sources? except myself(my artciles)! Please allow me to go off-topic here(irrelevant)?
Google ‘rki’
… Founder of rootcontest.org
… One of the Admins on hackthissite.org
… Has written & submitted over hundreds of articles online
… knowplace.org webpronews.com smdc-network.org , etc.
Please you can also read my other “replys to posts on this forum”
Thanks,
rki.
Since you are quoting your own articles, and unless you posted this information to the internet and in written articles under many different names, you may want to go after these people for plagiarism and copyright infringement:
In regards to your quotes about IP Fragmentation which begin with “IP fragmentation relies on the reconstruction of the TCP packet to determine if the packet arrived successfully”.
There is an identical quote by someone going by the name “pansophic” @ IP fragmentation vs. TCP segmentation - TCP/IP - Tek-Tips
In regards to your quote which begins with “A fragment offset value gives the index position of this fragment’s data in a reassembled packet. The second fragment packet contains an offset value, which is less than the length of the data in the first packet. E.g”
There is an identical quote by Suhas A Desai @ LinuxSecurity.com - Contact Us
Your quote which begins with “Some firewalls configuration can be remotely changed through the Internet, when a Malicious user could generate fake control packets to make the firewall perform in the wrong way or get knowledge of our firewall rules”
Is essentially word for word as one which appears to be attributed to Haoyu Song, Jing Lu & James Moscola under the heading Control Packet Security @ http://www.arl.wustl.edu/~lockwood/class/cs536/project/index.html
In regards to your quote which begins with “For protection from the UDP flood attack, the source IP address of all the UDP packets sent to firewall`s IP address will be changed”
There is the same quote which appears to be attributed to Rade Todorovic & Manoj Singla, also @ http://www.arl.wustl.edu/~lockwood/class/cs536/project/index.html
In regards to your quote about “Malformed Packet Attacks”, all of that is also quoted and attributed to Valer Bocan @ http://www.dataman.ro/vbocan/download/conti2004-1.pdf
In regards to your quotes about Packet Fragmentation which begins with:“If a packet is larger than the TCP MSS (Maximum Segment Size) or MTU (Maximum Transmission Unit)”
Identical quote by Shane Chen @ knowplace.org - This website is for sale! - knowplace Resources and Information.
In regards to your quotes about IP Fragmentation which begin with “It is not possible to select a particular IP datagram size to always avoid fragmentation”
Identical quote by: Raghu Ni @ http://www.cossindia.org/forum/viewtopic.php?p=480&sid=a008fb50697b3f6219e39d26e48e8503
Also by: Yegappan Lakshmanan @ Yahoo | Mail, Weather, Search, Politics, News, Finance, Sports & Videos
Just thought you would want to know.
Another good KB entry. Thanks rki.
Greetings,
Hello krispy!
Why? They’ve never been and will not be any copyright laws on any of my articles. Anyone is allowed to use/edit any of my articles online. Knowlwedge is to be shared and not be sold. The internet is a community where we’ve all learnt from.
and, here’s a post / email from the ONLY 2 who claim to be “authors” .
I await the other emails(that’s if they do reply me back).
None of those links you’ve pasted claim to be the authors[they’ve all gave references from where they’ve gotton their article from. I could only find 2 articles amongst your links that did not give references or credits at all(which I’ve emailed them and posted them above).
[i]- krispy wrote: In regards to your quote about “Malformed Packet Attacks”, all of that is also quoted and attributed to Valer Bocan @ http://www.dataman.ro/vbocan/download/conti2004-1.pdf[/i]
Did you look down to the last page?(those are references he quoted), and he’s not claiming to be the author. He gave references and amongst them are; #5-#6 Digital Equipment Corporation, “Performance tuning tips for Digital Unix”.(http://www.service.digital.com/manual/misc/perf-dec.html) - which you can see me as the AUTHOR on the page.
The same thing/reply goes for other links that you’ve posted…They all gave their references/source and please try going through references notes/links next time.
And thank you krispy for those info!
Thanks
rki.
Come on guys. We are not publishing articles in a journal of IEEE. If we should try to paste references for all we write, noone would care to post anything useful here. dont you think?
Egemen
Hello, rki!
Thank you for your patience to my questions and thank you more for your brillirnt answers!!
More thigns are clear to me now thanks to you!
Sicne you are founder @rootcontest.org and hackthissite i would very eagerly & kindly request you to check my network’s security setup as thorough as you can!!
My router’s WAN IP is nikos.no-ip.org (runnignserver al servers appz)
I posted my website in USENET askign the same thing but ppl dint manage to break through.
Maybe you and other sophisticated members can!!
Please, i would love to see the results of your Security scan against my pc.
Thank you and iam waiting to hear from you! Please accept!
ps. I just signed up on hackthisite.org
You’re welcome and I’m Glad we could help.
That’s wrong! I’m the founder of several online sites including www.rootcontest.org but NOT hackthissite.org. I’m just an ‘admin’ there
HTS(hackthissite.org) is an Online Security Site(where we teach users about computer security)
RC(rootcontest.org) is also the same + a Wargame site(where you submit your box for users to brigde into and report flaws.
If you need the security of your box to be checked, then RC would be the better place to submit your box. So, Please do(if you haven’t done that) and follow the articles I have on the RC-forum on how to submit a box!
This is off topic Nikos and should be continued on the RC-forum(if you have further question), seeing as this is a COMODO Community!
I hope to hear from you soon!
and appologies to the mods for making this so off topic (:WIN)
Topic CLOSED
Thanks,
rki.