a) IP fragmentation relies on the reconstruction of the TCP packet to determine if the packet arrived successfully (if you drop a fragmented IP packet, the TCP packet will not reconstruct and so a NAK will be sent for that TCP packet). The reason that the data MAY be split twice is simple. You have no way of knowing a priori what the restrictions are for the network layer beyond your LAN. Therefore, TCP will create packets that meet TCP packet limitations and IP packet limitations on your LAN.
If you pass through a network that has IP limitations that are more stringent than yours, the network equipment will split (fragment) your IP packet into two or more IP packets, each containing a portion of your TCP payload. If, on the other end of your connection, the TCP packet is not completely reconstructed (that is why it has both a length and a CRC) then the receiver will send a NAK (Not Acknowledged) packet back to your system which will reissue the same TCP packet, and follow the same process (probably). It is highly unusual to see a fragmented IP packet on a LAN, since there are not any transmission systems involved that would require differing MTU (Maximum Transmission Unit) sizes.
The three-way handshake of TCP is only to provide a “connection oriented” protocol, not for reliable (not secure) data transport. It is the sequence numbering and ACK/NAK protocol that provides reliable data transport.
Attackers create artificially fragmented packets in order to circumvent firewalls that do not perform packet reassembly. These only consider the properties of each individual fragment, and let the fragments through to final destination. One such attack involving fragments is known as the tiny fragment attack.
Two TCP fragments are created. The first fragment is so small that it does not even include the full TCP header, particularly the destination port number. The second fragment contains the remainder of the TCP header, including the port number. Another such type of malicious fragmentation involves fragments that have illegal fragment offsets.
A fragment offset value gives the index position of this fragment’s data in a reassembled packet. The second fragment packet contains an offset value, which is less than the length of the data in the first packet. E.g…
If the first fragment was 24 bytes long, the second fragment may claim to have an offset of 20. Upon reassembly, the data in the second fragment overwrites the last four bytes of the data from the first fragment. If the unfragmented packet were TCP, then the first fragment would contain the TCP header overwriting the destination port number.
b)Some firewalls configuration can be remotely changed through the Internet, when a Malicious user could generate fake control packets to make the firewall perform in the wrong way or get knowledge of our firewall rules.
Today to provide better security, two popular block cryptographic algorithms (3DES and AES) are implemented to decrypt control packets.
For protection from the UDP flood attack, the source IP address of all the UDP packets sent to firewall`s IP address will be changed. C.O.M.O.D.O Personal Firewall will detect when a UDP packet reaches the destination and can not be delivered to any application by listening for ICMP port unreachable packets. Once detect, C.O.M.O.D.O Personal Firewall will be updated to block additional packets. Additional UDP packet going to the same destination/port pair will then be dropped.
There are several common attack methods known by the Internet community. They are divided into two main categories: flood attacks and malformed packet attacks: But, since your question is regarding “malformed packet attacks”, then I will skip the “flood attacks” part for now.
The malformed packet attack is another wide-spread type of DoS attack. The purpose of this attack is to send ill-formed packets to hosts and take advantage of the bad design of the code that processes the packets. Effects range from unacceptable degradation of performance to system
There’re several malformed packet attacks: Ping of Death Attack consists of sending an ICMP echo packet that is much larger than the maximum IP packet size (64 Kbytes). At destination, some TCP/IP implementations fail to
reconstruct the packet, crashing or rebooting the system.
Chargen Attack. This is a variant of the UDP Flood Attack and uses the port 19 (chargen) of an intermediary system used as an amplifier. The attacker sends a forged UDP packet on port 19 of the intermediary system which in turn replies with a string of characters back to the victim, on its echo service port. The victim then sends back an echo of the string and the loop created rapidly exhausts the bandwidth between the victim and the intermediary system.
Teardrop Attack. Due to poor implementation, some systems fail to correctly cope with packet
fragments that have incorrect offsets, making proper reassembly impossible. Instead of gracefully
discarding the packets, the implementations in question simply reboot or halt the system.
Land Attack. Astoundingly, some systems crash or reboot when they encounter a forged packet which contains the same address as both the origin and the destination.
Win Nuke Attack. This type of attack is specifically targeted against Windows machines to
which attackers send out-of-band data to a specific port, causing the system to crash or reboot.
How do people generate false TCP packets? I mean the OS has a standard typical of creating a packet.
How would for example create a packet that lakcs destination port in header?
How does the OS allows such a thing?
If a packet is larger than the TCP MSS (Maximum Segment Size) or MTU (Maximum Transmission Unit), the only way for the packet to reach its endpoint is to be fragmented, While there are legitimate reasons why a packet is fragmented, it can also be exploited.
Since only the first fragment of a fragmented packet contains a header, it is impossible to for packet filters to examine additional packet fragments without doing fragment reassembly. Typical attacks involve in overlapping the packet data in which packet header is normal until it is overwritten with different destination IP (or port) thereby bypassing firewall rules. Fragmented packets can also used as part of “DOS attacks” to crash older IP stacks or by saturating the link/CPU load.
The connection tracking code in Netfilter/Iptables[Firewalls] automatically does fragment reassembly. It is however still vulnerable to link/CPU load saturation attacks.
In the IP layer implementations of nearly all OS[Operating System], there are bugs in the reassembly code. An attacker can create and send a pair of carefully crafted but malformed IP packets that in the process of reassembly cause a server to panic and crash. The receiving host attempts to reassemble such a packet, it calculates a negative length for the second fragment. This value is passed to a function (such as memcpy ()), which should do a copy from/ to memory, which takes the negative number to be an enormous unsigned (positive) number.
Another type of attack involves sending fragments that if reassembled will be an abnormally large packet, larger than the maximum permissible length for an IP packet. The attacker hopes that the receiving host will crash while attempting to reassemble the packet. The Ping of Death used this attack. It creates an ICMP echo request packet, which is larger than the maximum packet size of 65,535 bytes.
The reason for fragmenting packets is that if in its way one get slost then the sender will only have to send only this small lost packet instead of a bigger one? And if yes, what determined how small a packet can be and why not all network implementations doesnt support the same MTU?
As for your example why when a packet gets fragmented only the 1st fragment holds the TCP header while the 2nd the data portion?
I thought that even if a packet gets splitted every part of it should contain the neccessary header info like src ip, scr port, dst ip, dst port.
Can you plz explain and give a more detailed example? thank you!
In the IP layer implementations of nearly all OS[Operating System”]
, there are bugs in the reassembly code. An attacker can create and send a pair of carefully crafted but malformed IP packets that in the process of reassembly cause a server to panic and crash. The receiving host attempts to reassemble such a packet, it calculates a negative length for the second fragment. This value is passed to a function (such as memcpy ()), which should do a copy from/ to memory, which takes the negative number to be an enormous unsigned (positive) number.
Neat trick! They hack their way in by taking advantage of the flaws in the security code!
Its like asking for a user to type his name in a c++ app waiting to hold the value in a alpha string and the user instead of char sends number, so the app dont knwo what to do with it and crashed.
Why you say it calculates a negative size length since the 2nd fragment has also data in it?
It is not possible to select a particular IP datagram size to always avoid fragmentation, as the MTU for different transmission It is possible, though, for a given path to choose a size that will not lead to fragmentation. This is called Path MTU Discovery. The TCP transport protocol tries to avoid fragmentation using the Maximum Segment Size (MSS) option.
The minimum size of an IP fragment is the minimum size of an IP header plus eight data bytes. Most firewall-type devices will drop an initial IP fragment (offset 0) that does not contain enough data to hold the transport headers. In other words, the IP fragment normally need 20 octets of data in addition to the IP header in order to get through a firewall if offset is 0.
The size of an IP datagram fragment is limited by;
The amount of remaining data in the original IP datagram , the MTU of the network and must be a multiple of 8, except for the final fragment.
IP datagram fragmented[How]
Here’s an example of where an IP datagram is fragmented into two. This same algorithm can be used to fragment the datagram into ‘n’ fragments.
The IP layer creates two new IP datagrams, whose length satisfies the requirements of the network in which the original datagram is going to be sent.
The IP header from the original IP datagram is copied to the two new datagrams.
The data in the original IP datagram is divided into two on an 8 byte boundary. The number of 8 byte blocks in the first portion is called Number of Fragment Blocks (NFB).
The first portion of the data is placed in the first new IP datagram.
The length field in the first new IP datagram is set to the length of the first datagram.
The fragment offset field in the first IP datagram is set to the value of that field in the original datagram.
The “more fragments” field in the first IP datagram is set to one.
The second portion of the data is placed in the second new IP datagram.
The length field in the second new IP datagram is set to the length of the second datagram.
The “more fragments” field in the second IP datagram is set to the same value as the original IP datagram.
The fragment offset field in the second IP datagram is set to the value of that field in the original datagram plus NFB.
When an IP fragmentation occurs, the IP header fields[Total Length, Header Length, More Fragments Flag, Fragment Offset, Header Checksum, Options] are changed.
RKI, are these comments your own or are you quoting others? I’m not trying to insult you or start a flame war; it’s just that this information sounds very familiar. If you are quoting from other sources it is good practice to provide credit to those sources/authors…especially if those other sources are copyrighted material.
Since you are quoting your own articles, and unless you posted this information to the internet and in written articles under many different names, you may want to go after these people for plagiarism and copyright infringement:
In regards to your quotes about IP Fragmentation which begin with “IP fragmentation relies on the reconstruction of the TCP packet to determine if the packet arrived successfully”.
In regards to your quote which begins with “A fragment offset value gives the index position of this fragment’s data in a reassembled packet. The second fragment packet contains an offset value, which is less than the length of the data in the first packet. E.g”
Your quote which begins with “Some firewalls configuration can be remotely changed through the Internet, when a Malicious user could generate fake control packets to make the firewall perform in the wrong way or get knowledge of our firewall rules”
Why? They’ve never been and will not be any copyright laws on any of my articles. Anyone is allowed to use/edit any of my articles online. Knowlwedge is to be shared and not be sold. The internet is a community where we’ve all learnt from.
and, here’s a post / email from the ONLY 2 who claim to be “authors” .
I await the other emails(that’s if they do reply me back).
None of those links you’ve pasted claim to be the authors[they’ve all gave references from where they’ve gotton their article from. I could only find 2 articles amongst your links that did not give references or credits at all(which I’ve emailed them and posted them above).
HTS(hackthissite.org) is an Online Security Site(where we teach users about computer security)
RC(rootcontest.org) is also the same + a Wargame site(where you submit your box for users to brigde into and report flaws.
If you need the security of your box to be checked, then RC would be the better place to submit your box. So, Please do(if you haven’t done that) and follow the articles I have on the RC-forum on how to submit a box!
This is off topic Nikos and should be continued on the RC-forum(if you have further question), seeing as this is a COMODO Community!
I hope to hear from you soon!
and appologies to the mods for making this so off topic (:WIN)