|< Day Day Up >|
Fragmentation is a normal event in which packets are split into bite- sized pieces, either at the packets' origin or at the routers. The packets are later reassembled at their destination. Fragmentation allows packets to traverse networks whose maximum packet size (MTU) is smaller the packet itself. For example, packets traveling over Ethernet cannot exceed 1,518 bytes. Thus, the IP layer payload must be less than or equal to 1,480 bytes:
1480 byte transport payload + 20 byte IP header + 14 byte Ethernet layer header + 4 byte checksum = 1518 bytes
The IP layer is responsible for reassembling the fragmented packets at the destination. It then passes the payload up to the transport layer. The IP header stores valuable information that allows the packets to be reassembled in the correct order at their destination.
6.16.1 Fragmentation Variables
The fragmentation variables stored in the IP header include the following:
6.16.2 Exploiting Fragments
Fragmentation is a normal event. However, as with all technology, crackers can exploit fragmentation for their own purposes. By handcrafting fragmented packets, attackers attempt to avoid detection when performing reconnaissance and penetration.
For example, clever fragmentation can often be used to avoid intrusion detection systems or IDSs (see Chapter 19). Recall that all fragments of a packet must contain a copy of the parent packet's IP header. However, only the first fragment contains a protocol header such as TCP, ICMP, or UDP. Thus, less sophisticated IDSs that screen the protocol header cannot block later fragments of a malicious packet.
Another kind of attack uses fragmentation to perform a denial-of-service (DoS); it is the classic ping of death . This attack uses the system ping utility to create an IP packet that exceeds the maximum allowable size of 65,535 bytes for an IP datagram. The attack launches a swarm of small, fragmented ICMP packets. These fragments are later reassembled at the destination, at which point their massive size can crash the target.
Although the ping of death is an old attack, efforts to protect against it have led to even more problems. For example, in order to identify and audit such attacks, Checkpoint added a logging mechanism to Firewall-1 to record the fragment reassembly process. Unfortunately, as Lance Spitzner discovered , the auditing process itself can cause a denial-of-service condition on the firewall. It's possible for an attacker to send a number of incomplete fragments to the firewall that can never be reassembled. This causes the CPU utilization to rise toward 100%, thus freezing the firewall.
6.16.3 Fragmenting with Nmap
Nmap (Network Mapper) is a network reconnaissance tool discussed in Chapter 9. It was written by Fyodor of Insecure.org (Fyodor was also a technical reviewer for this book). One of its more obscure options is its ability to generate fragmented packets. Nmap allows you to use raw IP packets to perform reconnaissance on the hosts available on a target network, the services (ports) open , the operating system (and version) running, the type of packet filters/firewalls in use, and dozens of other characteristics. Nmap is available on both Linux and Windows.
Nmap has the ability to craft and fragmented packet launch them at a host. Using the -f (fragment) option, you can perform a scan using fragmented IP packets. In fragment mode, Nmap splits the TCP header over several packets in order to make it more difficult for packet filters and IDSs to detect the scan.
Although this method will not fool firewalls that maintain packet sequence state (discussed above), many networks cannot handle the performance overhead of tracking fragments, and thus do not maintain state.
Salvatore Sanfilippo designed hping (http://www.hping.org) as a command-line TCP/IP packet assembler/analyzer based on the original Unix ping command. However, hping isn't just able to send ICMP echo requests . It also supports the TCP, UDP, ICMP, and RAW-IP protocols, and it includes a traceroute mode, the ability to send files between a covert channel, and many other features.
Uses of hping include the following:
Supported platforms include Linux, FreeBSD, NetBSD, OpenBSD, and Solaris. It produces a standard TCP output format, as follows :
len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms
This breaks down as follows:
If you run hping using the -V command-line switch, it will display additional information about the packet. For example:
len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms tos=0 iplen=40 seq=0 ack=1223672061 sum=e61d urp=0
Here's how it breaks down:
One of the most useful tools for generating fragmented packets is Fragroute (http://www.monkey.org/~dugsong/fragroute/). According to its its author Dug Song, Fragroute is a Unix-based tool that intercepts, modifies, and rewrites egress traffic destined for a specified host. It includes a rule-based language to "delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behavior." The author claims to have written the tool for good, not evil, in order to aid in the testing of network intrusion detection systems, firewalls, and basic TCP/IP stack behavior. Examples of ways to use Fragroute for testing include the following:
For example, Fragroute can generate enough "noise" in the form of complex packet fragments that it will overwhelm or evade an IDS's ability to maintain state.
The syntax for Fragroute is as follows:
fragroute [-f file] host
The -f option allows you to read the ruleset from a specified file, instead of /usr/local/etc/fragroute.conf .
Fragroute is composed of several modules that enable various configuration directives. Each directive operates on a logical packet queue handed to it by the previous rule. Examples of its ruleset include the following:
For example, if you wanted to fragment all traffic to a Windows host into forward-overlapping eight-byte fragments (favoring older data), reordered randomly and printed to standard output, you would perform the following:
ip_frag 8 old order random print
Fragroute has been successfully used to confuse Snort and other IDSs by generating confusing packet fragments.
|< Day Day Up >|