6.16 Fragmentation

Fragmentation is a normal event in which packets are split into bite- sized pieces, either at the packets' origin or at the routers. The packets are later reassembled at their destination. Fragmentation allows packets to traverse networks whose maximum packet size (MTU) is smaller the packet itself. For example, packets traveling over Ethernet cannot exceed 1,518 bytes. Thus, the IP layer payload must be less than or equal to 1,480 bytes:

 1480 byte transport payload  + 20 byte IP header  + 14 byte Ethernet layer header  + 4 byte checksum = 1518 bytes 

The IP layer is responsible for reassembling the fragmented packets at the destination. It then passes the payload up to the transport layer. The IP header stores valuable information that allows the packets to be reassembled in the correct order at their destination.

6.16.1 Fragmentation Variables

The fragmentation variables stored in the IP header include the following:

Fragment ID

This is the same as the unique IP identification number of the parent packet. The fragment ID remains the same in all progeny of a packet, even if the fragments are themselves fragmented into smaller bits by networks with low MTUs.

Fragment offset

Each fragment marks its place in the packet's sequence of data with a fragment offset. At the destination, this number is used to reassemble the fragments in the correct order.

Fragment length

Each fragment contains a field describing its own total length.

More fragments flag

A fragment must tell whether there are any more fragments that follow in the fragmentation sequence. This flag can be equal to one (1), meaning that there are more fragments to follow, or to zero (0), meaning that it is the final fragment in the packet.

6.16.2 Exploiting Fragments

Fragmentation is a normal event. However, as with all technology, crackers can exploit fragmentation for their own purposes. By handcrafting fragmented packets, attackers attempt to avoid detection when performing reconnaissance and penetration.

For example, clever fragmentation can often be used to avoid intrusion detection systems or IDSs (see Chapter 19). Recall that all fragments of a packet must contain a copy of the parent packet's IP header. However, only the first fragment contains a protocol header such as TCP, ICMP, or UDP. Thus, less sophisticated IDSs that screen the protocol header cannot block later fragments of a malicious packet.

Another kind of attack uses fragmentation to perform a denial-of-service (DoS); it is the classic ping of death . This attack uses the system ping utility to create an IP packet that exceeds the maximum allowable size of 65,535 bytes for an IP datagram. The attack launches a swarm of small, fragmented ICMP packets. These fragments are later reassembled at the destination, at which point their massive size can crash the target.

Although the ping of death is an old attack, efforts to protect against it have led to even more problems. For example, in order to identify and audit such attacks, Checkpoint added a logging mechanism to Firewall-1 to record the fragment reassembly process. Unfortunately, as Lance Spitzner discovered , the auditing process itself can cause a denial-of-service condition on the firewall. It's possible for an attacker to send a number of incomplete fragments to the firewall that can never be reassembled. This causes the CPU utilization to rise toward 100%, thus freezing the firewall.

6.16.3 Fragmenting with Nmap

Nmap (Network Mapper) is a network reconnaissance tool discussed in Chapter 9. It was written by Fyodor of Insecure.org (Fyodor was also a technical reviewer for this book). One of its more obscure options is its ability to generate fragmented packets. Nmap allows you to use raw IP packets to perform reconnaissance on the hosts available on a target network, the services (ports) open , the operating system (and version) running, the type of packet filters/firewalls in use, and dozens of other characteristics. Nmap is available on both Linux and Windows.

Nmap has the ability to craft and fragmented packet launch them at a host. Using the -f (fragment) option, you can perform a scan using fragmented IP packets. In fragment mode, Nmap splits the TCP header over several packets in order to make it more difficult for packet filters and IDSs to detect the scan.

Although this method will not fool firewalls that maintain packet sequence state (discussed above), many networks cannot handle the performance overhead of tracking fragments, and thus do not maintain state.

6.16.4 hping

Salvatore Sanfilippo designed hping (http://www.hping.org) as a command-line TCP/IP packet assembler/analyzer based on the original Unix ping command. However, hping isn't just able to send ICMP echo requests . It also supports the TCP, UDP, ICMP, and RAW-IP protocols, and it includes a traceroute mode, the ability to send files between a covert channel, and many other features.

Uses of hping include the following:

• Firewall testing

• Advanced port scanning

• Network testing using different protocols, TOS, and fragmentation

• Manual PMTU discovery

• Advanced traceroute, under all the supported protocols

• Remote OS fingerprinting

• Remote uptime guessing

• TCP/IP stack auditing

Supported platforms include Linux, FreeBSD, NetBSD, OpenBSD, and Solaris. It produces a standard TCP output format, as follows :

 len=46 ip=192.168.1.1  flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms 

This breaks down as follows:

len

The size, in bytes, of the data captured from the data link layer, excluding the data link header size. This may not match the IP datagram size, due to low-level transport layer padding.

ip

The source IP address.

flags

The TCP flags: R for RESET, S for SYN, A for ACK, F for FIN, P for PUSH, U for URGENT, X for not standard 0x40, Y for not standard 0x80.

DF

If the reply contains DF, the IP header has the "don't fragment" bit set.

seq

The sequence number of the packet, obtained using the source port for TCP/UDP packets or the sequence field for ICMP packets.

id

The IP ID field.

win

The TCP window size.

rtt

The round-trip time in milliseconds .

If you run hping using the -V command-line switch, it will display additional information about the packet. For example:

 len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms tos=0 iplen=40  seq=0 ack=1223672061 sum=e61d urp=0 

Here's how it breaks down:

tos

The Type-of-Service field in the IP header

iplen

The IP total len field

seq and ack

The 32-bit numbers sequence and acknowledge in the TCP header

sum

The TCP header checksum value

urp

The TCP urgent pointer value

6.16.5 Fragroute

One of the most useful tools for generating fragmented packets is Fragroute (http://www.monkey.org/~dugsong/fragroute/). According to its its author Dug Song, Fragroute is a Unix-based tool that intercepts, modifies, and rewrites egress traffic destined for a specified host. It includes a rule-based language to "delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behavior." The author claims to have written the tool for good, not evil, in order to aid in the testing of network intrusion detection systems, firewalls, and basic TCP/IP stack behavior. Examples of ways to use Fragroute for testing include the following:

• Testing network IDS timeout and reassembly

• Testing stateful firewall inspection

• Simulating one-way latency, loss, reordering , and retransmissions

• Evading passive OS fingerprinting techniques

For example, Fragroute can generate enough "noise" in the form of complex packet fragments that it will overwhelm or evade an IDS's ability to maintain state.

The syntax for Fragroute is as follows:

 fragroute [-f file] host 

The -f option allows you to read the ruleset from a specified file, instead of /usr/local/etc/fragroute.conf .

Fragroute is composed of several modules that enable various configuration directives. Each directive operates on a logical packet queue handed to it by the previous rule. Examples of its ruleset include the following:

delay firstlastrandom ms

Delay the delivery of the first, last, or a randomly selected packet from the queue by ms milliseconds.

drop firstlastrandom prob-%

Drop the first, last, or a randomly selected packet from the queue with a probability of prob-% percent.

dup firstlastrandom prob-%

Duplicate the first, last, or a randomly selected packet from the queue with a probability of prob-% percent.

ip_chaff dupoptttl

Interleave IP packets in the queue with duplicate IP packets containing different payloads, either scheduled for later delivery, carrying invalid IP options, or bearing short time-to-live values.

ip_frag size [oldnew]

Fragment each packet in the queue into size -byte IP fragments, preserving the complete transport header in the first fragment. An optional fragment overlap may be specified as old or new, to favor newer or older data.

ip_opt lsrrssrr ptr ip-addr

Add IP options to every packet in order to enable loose or strict source routing. The route should be specified as a list of IP addresses and a bytewise pointer into them (e.g., the minimum ptr value is 4).

ip_ttl ttl

Set the IP time-to-live value of every packet to ttl .

ip_tos tos

Set the IP type-of-service bits for every packet to tos .

order randomreverse

Reorder the packets in the queue randomly, or in reverse.

tcp_chaff cksumnullpawsrexmitseqsynttl

Interleave TCP segments in the queue with duplicate TCP segments containing different payloads, either bearing invalid TCP checksums, null TCP control flags, older TCP timestamp options for PAWS elimination , faked retransmits scheduled for later delivery, out-of-window sequence numbers, requests to re-synchronize sequence numbers mid-stream, or short time-to-live values.

tcp_opt msswscale size

Add TCP options to every TCP packet in order to set the maximum segment size or window scaling factor.

tcp_seg size [oldnew]

Segment each TCP data segment in the queue into size -byte TCP segments. Optional segment overlap may be specified as old or new, to favor newer or older data.

For example, if you wanted to fragment all traffic to a Windows host into forward-overlapping eight-byte fragments (favoring older data), reordered randomly and printed to standard output, you would perform the following:

 ip_frag 8 old order random print 

Fragroute has been successfully used to confuse Snort and other IDSs by generating confusing packet fragments.