IPv4: Abusing Fragmentation Fields (cont.) · 2019-09-25 · IPv4: Abusing TTL Field (cont.)...
Transcript of IPv4: Abusing Fragmentation Fields (cont.) · 2019-09-25 · IPv4: Abusing TTL Field (cont.)...
IPv4: Abusing Fragmentation Fields (cont.)
• Fragmentation Flags Maximum Transmission Unit (MTU) - maximum frame size that
can be transported on the data-link layer of a given network
How does the receiving machine know that these are fragments of a bigger (original) packet??
How does the receiving machine determine the order in which
fragments should be ‘put back’??
→ How many fragments shouldbe made out of one singleIP packet??
→ in this case, (660-20) = 640 is divisible by 8, so 640 ofdata is placed in each fragment
→ (MTU-20) – amount of data tobe placed in a fragment, andmust be divisible by 8
660
Must be divisible by 8!!!
Multiplied by 8 tells how many
bytes of the parent
packet have already
been sent in previous fragments
660
→ How many fragments shouldbe made out of one singleIP packet??
→ in this case, (660-20) = 640 is divisible by 8, so 640 ofdata is placed in each fragment
→ (MTU-20) – amount of data tobe placed in a fragment, andmust be divisible by 8
Example: defragmentation - works even if an IP packet isfragmented several times
IPv4: Abusing Fragmentation Fields (cont.)
IPv4: Abusing Fragmentation Fields (cont.)
• Fragmentation Flags 2 (out of 3) bits used to facilitate the fragmentation and
reassembly function
→ DF = 1 can be used by attacker to conduct Path-MTU Discovery
IPv4: Abusing Fragmentation Fields (cont.)
Example: Path MTU Discovery using DF = 1In some attacks that rely on packet fragmentation, the attacker needsto ensure that additional fragmentation will NOT be triggered by inter-mediate routers. (This would risk one of the fragments being dropped.)
To ensure that additional fragmentation does NOT occur, the attackpackets must be smaller than any Maximum Transmission Unit (MTU) enroute.
To discover MTUs en route, the attacker conducts Path MTU Discovery …
MTU Discovery is
typically done before the actual
attack!
IPv4: Abusing Fragmentation Fields (cont.)
• Fragmentation Offset indicates where in the original datagram the given fragment
belongs – measured in units of 8 bytes! → all fragments with MF=1 (all but last one!) have to be aligned on
an 8-byte boundary→ if a packet with MF=1 does not pass the following check, drop it
IPv4: Abusing Fragmentation Fields (cont.)
Example: Fragmenting an IP packet that carries a TCP packet
IPv4: Abusing Fragmentation Fields (cont.)
Example: Teardrop AttackA form of DoS attack targeting TCP/IP fragmentation reassembly codes.Causes fragmented packets to overlap - the host attempts to reconstruct the original packet, but fails in the process …
Teardrop attacks are a result of an OS vulnerability common in older versions of Windows, including 3.1, 95 and NT. While patches were thought to have put a stop
to these attacks, a vulnerability resurfaced in Windows 7 and Windows Vista, making Teardrop attacks once again a viable attack vector. The vulnerability was re-patched in the latest version of Windows, but operators should keep an eye out to ensure that it stays patched in all future versions.
“If successful, Teardrop attack will cause the operating systemto crash or hang.
In most cases, users will see the Blue Screen of Death, whichindicates that the system is in panic mode.
While this attack is not harmful to a target machine inand of itself, any unsaved data in applications open atthe time of the attack will almost certainly be lost.”
Example: Teardrop Attack
http://download.saintcorporation.com/cgi-bin/doc.pl?document=vulnerability/newtear
IPv4: Abusing Fragmentation Fields (cont.)
IPv4: Abusing Fragmentation Fields (cont.)
Example: Teardrop Attack
• The IP payload in the first fragment is 36 bytes, the total length of the IP packet is 56 bytes, the protocol is UDP, and the UDP checksum is 0 (that is, unchecked).
• The IP payload in the second fragment is 4 bytes, the total length of the IP packet is 24 bytes, the protocol is UDP, and the offset is 24 = 3 x 8 (this is incorrectly calculated and the correct offset should be 36).
Fragment 1
Fragment 2
Fragmentation offset = 3.Error?!?!
IPv4: Abusing Fragmentation Fields (cont.)
Example: Rose AttackA form of DoS that involves sending the first and the last fragment ofa very large IP packet, but not the middle fragments. The fragmentbuffer in the IP stack is held open for a certain period of time …This causes the CPU to spike and legitimate fragmented packets to bedropped.
If Rose attacks use UDP:• The IP payload in the first fragment is 40 bytes (including the UDP header, with UDP checksum 0), and the IP header is 20 bytes.• The IP payload in the second fragment is 32 bytes, the offset is 65408, and the morefrag is 0 (last fragment).
Fragment 1
Fragment 2
IPv4: Abusing Fragmentation Fields (cont.)
Cyber Attacks are a Gameof Cat and Mouse
Attack Problem Fix
Teardrop
Roseonly 2 fragments
arrive to thedestination machine
overlapped fragmentsarrive to the
destination machine
keep track of fragmentsand drop the whole
packet as soon asoverlap is observed
set a timer after the lastfragment received;
drop the whole packet if no new fragments
in X seconds
IPv4: Abusing Fragmentation Fields (cont.)
Example: FragmentSmack (Fall 2018)
https://searchsecurity.techtarget.com/answer/FragmentSmack-How-is-this-denial-of-service-exploited
IPv4: Abusing Fragmentation Fields (cont.)
Attack Problem Fix
Teardrop
Roseonly 2 fragments
arrive to thedestination machine
overlapped fragmentsarrive to the
destination machine
keep track of fragmentsand drop the whole
packet as soon asoverlap is observed
set a timer after the lastfragment received;
drop the whole packet if no new fragments
in X seconds
fragmented IP packet
Do any of the previous fixes can help here??
IPv4: Abusing Fragmentation Fields (cont.)
IPv4: Abusing TTL Field• Time to Live (TTL) Field
has two functions: 1) to bind the lifetime of the IP packet,2) to prevent packets from looping indefinitely in the network
→ can be interpreted as a hop count
→ max value: 255, recommended value: 64
→ however, different OS implement different initial TTL values,which can be exploited for purposes of OS fingerprinting …
IPv4: Abusing TTL Field (cont.)
Example: TTL values in different OSs
https://www.safaribooksonline.com/library/view/practical-network-scanning/9781788839235/
→ every IP module that processes a packet must decrement thepacket’s TTL by one, which can be exploited to determine thephysical/network location of the sending device
→ a router receiving an IP packet with TTL=1 will discards thispacket and may send an ICMP unreachable back to sender
IPv4: Abusing TTL Field (cont.)
• Time to Live (TTL) Field has two functions: 1) to bind the lifetime of the IP packet,
2) to prevent packets from looping indefinitely in the network
IPv4: Abusing TTL Field (cont.)
Example: TTL Expiry CPU-DoS Attack on Routers
When a packet expires on a routing platform because its TTL reaches 0, it is required to send an ICMP TTL Exceeded message back to the sender (RFC 17162). On the other hand, routers do not need to respond to ping requests.
This functionality can, however, be misused. If an attacker sends a flood of packets with the TTL value set such that the packets expire on the switch, the switch is forced to generate a large amount of ICMP TTL Exceeded messages. This causes a high CPU load.
https://www.ccexpert.us/port-security/ttl-expiry-attack.html
Some routers do not respond to
(e.g.) ICMP Ping packets, so
Pings cannot be used to perform
a DoS on the router’s CPU resources.
IPv4: Abusing TTL Field (cont.)
Example: TTL Manipulation Attack / Attack MaskingAn attacker can launch an attack that includes bogus packets with smaller TTL values than the packets that make up the real attack.
If your network-based sensor sees all of the packets but the target host only sees the actual attack packets, the attacker has managed to distort the information that the sensor uses, causing the sensor to potentially miss the attack (since the bogus packets distort the information being processed by the sensor).
https://www.ccexpert.us/ips/ttl-manipulation.html
Attack packets have a known ‘signature’ and the IDS sensors would easily detect them.
To confuse the sensors, attacker mixes the attack packets with bogus packets of shorter TTL. As such, bogus packets will pass through
the sensors but will be dropped before reaching the victim machine.
IPv4: Abusing TTL Field (cont.)
Example: Firewalking Attack
https://slideplayer.com/slide/10176917/
… an active network reconnaissance technique that attempts to determine which ports, on a specific machine, is blocked by the firewall. Requires knowledge of:- IP address of the target device and IP address of the firewall;- number of hops to the firewall.
Send a packet with TTL = (hops to firewall + 1) so at destination TTL ↓ to 0,destination IP = target device, destination port = P.
If no response – firewall blocks this device/port, otherwise the device itselfsends back an ICMP time exceeded message back.
Packets sent to machine X port Y are not coming
back.Is port Y on X
down, or Firewall is blocking these
packets?!
machine X
Summary• What have we learned?!
during initial IP protocol design it was hard to foresee allpossible side-effects of different ‘functionalities’
→ packet/fragment ID was a good idea, but can be abused intraffic monitoring/analysis
→ fragmentation was also a good idea, but creates opportunitiesfor a number of attacks during the reassembly process
→ options were nice, but created additional vulnerabilities
→ addresses were necessary, but can be spoofed and lead tomany problems
→ TTL field was also necessary, but can aid hackers in a numberof attacks (DoS, attack obfuscation, network scanning, OSfingerprinting, …)
Summary (cont.)
• What have we learned?! solutions:
→ do NOT rely on IPv4 for security / user authentication
→ make sure your OS is protected against well-known IP-basedattacks (LAND, Teardrop, Ping-of-death, …)
→ perform egress and ingress filtering