IPv4: Abusing Fragmentation Fields (cont.) · 2019-09-25 · IPv4: Abusing TTL Field (cont.)...

IPv4: Abusing Fragmentation Fields (cont.)

• Fragmentation Flags Maximum Transmission Unit (MTU) - maximum frame size that

can be transported on the data-link layer of a given network

How does the receiving machine know that these are fragments of a bigger (original) packet??

How does the receiving machine determine the order in which

fragments should be ‘put back’??

→ How many fragments shouldbe made out of one singleIP packet??

→ in this case, (660-20) = 640 is divisible by 8, so 640 ofdata is placed in each fragment

→ (MTU-20) – amount of data tobe placed in a fragment, andmust be divisible by 8

660

Must be divisible by 8!!!

Multiplied by 8 tells how many

bytes of the parent

packet have already

been sent in previous fragments

660

→ How many fragments shouldbe made out of one singleIP packet??

→ in this case, (660-20) = 640 is divisible by 8, so 640 ofdata is placed in each fragment

→ (MTU-20) – amount of data tobe placed in a fragment, andmust be divisible by 8

Example: defragmentation - works even if an IP packet isfragmented several times



• Fragmentation Flags 2 (out of 3) bits used to facilitate the fragmentation and

reassembly function

→ DF = 1 can be used by attacker to conduct Path-MTU Discovery


Example: Path MTU Discovery using DF = 1In some attacks that rely on packet fragmentation, the attacker needsto ensure that additional fragmentation will NOT be triggered by inter-mediate routers. (This would risk one of the fragments being dropped.)

To ensure that additional fragmentation does NOT occur, the attackpackets must be smaller than any Maximum Transmission Unit (MTU) enroute.

To discover MTUs en route, the attacker conducts Path MTU Discovery …

MTU Discovery is

typically done before the actual

attack!


• Fragmentation Offset indicates where in the original datagram the given fragment

belongs – measured in units of 8 bytes! → all fragments with MF=1 (all but last one!) have to be aligned on

an 8-byte boundary→ if a packet with MF=1 does not pass the following check, drop it


Example: Fragmenting an IP packet that carries a TCP packet


Example: Teardrop AttackA form of DoS attack targeting TCP/IP fragmentation reassembly codes.Causes fragmented packets to overlap - the host attempts to reconstruct the original packet, but fails in the process …

Teardrop attacks are a result of an OS vulnerability common in older versions of Windows, including 3.1, 95 and NT. While patches were thought to have put a stop

to these attacks, a vulnerability resurfaced in Windows 7 and Windows Vista, making Teardrop attacks once again a viable attack vector. The vulnerability was re-patched in the latest version of Windows, but operators should keep an eye out to ensure that it stays patched in all future versions.

“If successful, Teardrop attack will cause the operating systemto crash or hang.

In most cases, users will see the Blue Screen of Death, whichindicates that the system is in panic mode.

While this attack is not harmful to a target machine inand of itself, any unsaved data in applications open atthe time of the attack will almost certainly be lost.”

Example: Teardrop Attack

http://download.saintcorporation.com/cgi-bin/doc.pl?document=vulnerability/newtear



Example: Teardrop Attack

• The IP payload in the first fragment is 36 bytes, the total length of the IP packet is 56 bytes, the protocol is UDP, and the UDP checksum is 0 (that is, unchecked).

• The IP payload in the second fragment is 4 bytes, the total length of the IP packet is 24 bytes, the protocol is UDP, and the offset is 24 = 3 x 8 (this is incorrectly calculated and the correct offset should be 36).

Fragment 1

Fragment 2

Fragmentation offset = 3.Error?!?!


Example: Rose AttackA form of DoS that involves sending the first and the last fragment ofa very large IP packet, but not the middle fragments. The fragmentbuffer in the IP stack is held open for a certain period of time …This causes the CPU to spike and legitimate fragmented packets to bedropped.

If Rose attacks use UDP:• The IP payload in the first fragment is 40 bytes (including the UDP header, with UDP checksum 0), and the IP header is 20 bytes.• The IP payload in the second fragment is 32 bytes, the offset is 65408, and the morefrag is 0 (last fragment).

Fragment 1

Fragment 2


Cyber Attacks are a Gameof Cat and Mouse

Attack Problem Fix

Teardrop

Roseonly 2 fragments

arrive to thedestination machine

overlapped fragmentsarrive to the

destination machine

keep track of fragmentsand drop the whole

packet as soon asoverlap is observed

set a timer after the lastfragment received;

drop the whole packet if no new fragments

in X seconds


Example: FragmentSmack (Fall 2018)

https://searchsecurity.techtarget.com/answer/FragmentSmack-How-is-this-denial-of-service-exploited


Attack Problem Fix

Teardrop

Roseonly 2 fragments

arrive to thedestination machine

overlapped fragmentsarrive to the

destination machine

keep track of fragmentsand drop the whole

packet as soon asoverlap is observed

set a timer after the lastfragment received;

drop the whole packet if no new fragments

in X seconds

fragmented IP packet

Do any of the previous fixes can help here??

IPv4: Abusing TTL Field• Time to Live (TTL) Field

has two functions: 1) to bind the lifetime of the IP packet,2) to prevent packets from looping indefinitely in the network

→ can be interpreted as a hop count

→ max value: 255, recommended value: 64

→ however, different OS implement different initial TTL values,which can be exploited for purposes of OS fingerprinting …

IPv4: Abusing TTL Field (cont.)

Example: TTL values in different OSs

https://www.safaribooksonline.com/library/view/practical-network-scanning/9781788839235/

→ every IP module that processes a packet must decrement thepacket’s TTL by one, which can be exploited to determine thephysical/network location of the sending device

→ a router receiving an IP packet with TTL=1 will discards thispacket and may send an ICMP unreachable back to sender


• Time to Live (TTL) Field has two functions: 1) to bind the lifetime of the IP packet,

2) to prevent packets from looping indefinitely in the network


Example: TTL Expiry CPU-DoS Attack on Routers

When a packet expires on a routing platform because its TTL reaches 0, it is required to send an ICMP TTL Exceeded message back to the sender (RFC 17162). On the other hand, routers do not need to respond to ping requests.

This functionality can, however, be misused. If an attacker sends a flood of packets with the TTL value set such that the packets expire on the switch, the switch is forced to generate a large amount of ICMP TTL Exceeded messages. This causes a high CPU load.

https://www.ccexpert.us/port-security/ttl-expiry-attack.html

Some routers do not respond to

(e.g.) ICMP Ping packets, so

Pings cannot be used to perform

a DoS on the router’s CPU resources.


Example: TTL Manipulation Attack / Attack MaskingAn attacker can launch an attack that includes bogus packets with smaller TTL values than the packets that make up the real attack.

If your network-based sensor sees all of the packets but the target host only sees the actual attack packets, the attacker has managed to distort the information that the sensor uses, causing the sensor to potentially miss the attack (since the bogus packets distort the information being processed by the sensor).

https://www.ccexpert.us/ips/ttl-manipulation.html

Attack packets have a known ‘signature’ and the IDS sensors would easily detect them.

To confuse the sensors, attacker mixes the attack packets with bogus packets of shorter TTL. As such, bogus packets will pass through

the sensors but will be dropped before reaching the victim machine.


Example: Firewalking Attack

https://slideplayer.com/slide/10176917/

… an active network reconnaissance technique that attempts to determine which ports, on a specific machine, is blocked by the firewall. Requires knowledge of:- IP address of the target device and IP address of the firewall;- number of hops to the firewall.

Send a packet with TTL = (hops to firewall + 1) so at destination TTL ↓ to 0,destination IP = target device, destination port = P.

If no response – firewall blocks this device/port, otherwise the device itselfsends back an ICMP time exceeded message back.

Packets sent to machine X port Y are not coming

back.Is port Y on X

down, or Firewall is blocking these

packets?!

machine X

Summary• What have we learned?!

during initial IP protocol design it was hard to foresee allpossible side-effects of different ‘functionalities’

→ packet/fragment ID was a good idea, but can be abused intraffic monitoring/analysis

→ fragmentation was also a good idea, but creates opportunitiesfor a number of attacks during the reassembly process

→ options were nice, but created additional vulnerabilities

→ addresses were necessary, but can be spoofed and lead tomany problems

→ TTL field was also necessary, but can aid hackers in a numberof attacks (DoS, attack obfuscation, network scanning, OSfingerprinting, …)

Summary (cont.)

• What have we learned?! solutions:

→ do NOT rely on IPv4 for security / user authentication

→ make sure your OS is protected against well-known IP-basedattacks (LAND, Teardrop, Ping-of-death, …)

→ perform egress and ingress filtering

IPv4: Abusing Fragmentation Fields (cont.) · 2019-09-25 · IPv4: Abusing TTL Field (cont.)...

Documents

Transcript of IPv4: Abusing Fragmentation Fields (cont.) · 2019-09-25 · IPv4: Abusing TTL Field (cont.)...