ITIS 6167/8167: Network and Information Security

Weichao Wang

2

Contents

• IP fragmentation and attacks– IP protocol– IP fragmentation– Attacks– Mitigation mechanisms

3

4

IP protocol and fragmentation

• IP layer provides the fundamental service in Internet: unreliable, connectionless, and best-effort based packet delivery– Unreliable: packet may lost, duplicated,

delayed, out of order– Connectionless: every packet is handled

independently– Best-effort: no quality guarantee

5

• IP protocol will– Define the format of IP packet– Routing– Determine

• Packet processing procedures• Error reporting and handling procedures• When the packets can be discarded

6

IP encapsulation

• In ethernet, frame type for IP is 0x0800

IP header IP Data

7

IP format

8

• Details of IP packet– Vers: current version is 4– HLEN: header length in 32 bit word. Usually is 5 (20

byte), max can be 60 bytes (IP options)– Type of services: usually all 0 (best effort), can be

used for diffserv and QoS.• 3 bit of precedence, 4 bit of TOS, 1 bit unused• TOS bit 1 (min delay), 2 (max throughput), 3 (max reliability),

4 (min cost)

– Total length: 16 bit can represent 64K byte long packet

9

• Identification, flags, and offset: used for fragmentation and reassemble (later)

• TTL: time to live: number of routers or seconds a packet can live. – Every router will reduce this value by one.

When reach 0, the packet will be discarded.– Can be used to prevent routing loop– Use TTL to implement traceroute

10

-bash-3.1$ ping -i 7 dell.comPING dell.com (143.166.224.244) 56(84) bytes of data.From kcm-edge-15.inet.qwest.net (65.120.164.89)

icmp_seq=1 Time to live exceededFrom kcm-edge-15.inet.qwest.net (65.120.164.89)

icmp_seq=2 Time to live exceeded

11

• Type: the high level protocol the IP packet contains: ICMP (0x01), TCP (0x06), UDP (0x11)

• Header checksum: – calculate only over header– Re-compute at every hop (why)

• Example: an ICMP packet b/w 128.10.2.3 and 128.10.2.8. Header length is 20 bytes.

12

13

• IP header options– Record route option

• Intermediate routers will attach their IP address to the packet

– Timestamp option• Intermediate router attach 32 bit timestamp

– Source routing option• Strict source routing• Loose source routing: allow multiple hops b/w

routers

14

15

• IP fragmentation

• Why do we need it– MTU: maximum transmission unit– An IP packet can be as large as 65535 byte– Different hardware have different MTU:

ethernet 1500, FDDI 4470

16

17

• IP fragmentation– Routers divide an IP datagram into several

smaller fragments based on MTU– Fragments use the same header format as

the original datagram– Each fragment is routed independently

18

• How to fragment– IDENT: unique number to identify an IP

datagram; fragments with the same identifier belong to the same IP datagram

– Fragment offset:• Specify where the data belong in the original

packet• Multiple of 8• Use 13 bits (why do we only need 13 bits)

19

• FLAGs:– Bit 0: reserved– Bit 1: do not fragment (if this bit is set and the

MTU is not large enough, we send out ICMP to report this)

– Bit 2: more fragment: this bit is turned off in the last segment. (why we need this bit: so we can calculate the length of the original packet)

20

21

• Example:– Original packet: header + 400 + 400 + 400– Header 1: FLAG = 001, OFFSET =0– Header 2: FLAG = 001, OFFSET =400/8=50– Header 3: FLAG = 000, OFFSET= 800/8=100

22

• Fragment of fragment– Need to pay special attention of the FLAG bits

• Reassemble– Reassembled before delivered to higher

layers– Where to reassemble: router or destination,

why?? (not only efficiency)– Use a timer to handle lost fragment and

discard the whole packet

23

24

• Malicious activities on fragmentation– What if we never receive the last piece– Overlapping fragment– The reassembled packet is larger than the

allowed IP packet size (how can attackers do this)

25

• Attack 1: DoS attack– 1st fragment: offset =0;– 2nd fragment: offset = 64800;– Result: now the machine will allocate 64K

memory, and usually will hold it for 15 to 255 seconds.

– Who are vulnerable: Win2K, XP, most versions of UNIX

26

• Attack 2: TearDrop– Fist packet:

• payload size N, • More fragment bit on

– 2nd fragment: • More fragment bit off• Offset + payload < N

– If the user assume that the packet should become longer and longer, may cause machine crash

27

• Overlapping attacks against Firewall– Many firewalls inspect packet without reassemble. If

the TCP header is fragmented and the filter rule is based on TCP, it may fail

– Firewall examine the SYN bit• Tiny fragment attack: Firewall only check the first fragment.

The minimum fragment is 68 bytes (ICMP requirement), but the SYN bit maybe fall into the 2nd fragment with IP option.

• Overlapping attack: allow packet overlapping during reassemble. Then the checked segment may looks ok. But will be overlapped later.

28

• IP spoofing– Spoofing

• An attacker sends packet with another node’s IP address

• Replies will be routed to the victim

– Egress filtering• Remove packets that cannot come from your

network

– Ingress filtering• Remove packet from invalid address

29

• Router and Host– Router usually connects to multiple networks– Host only connect to one

• Routing table– Used by routers to determine next hop– When determining which entry to use, usually use the

one with the longest match

• Next hop routing– Destination IP address will not change, only the next

hop’s MAC address is used

30

• Default route– When no other entry matches the routing request

• Routing procedure– Extract destination IP D and compute the network

prefix N– Is N the same network– What is the routing entry with the longest match– What is the default route– Report error

31

• Handling income packets– Host: accept or discard, Do not forward. Why?– Router:

• Decrease TTL, recompute the checksum• If TTL = 0; drop the packet and send an error

message to source