IP fragmentation attack
! colspan="8" | 0
29 6.831054 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=41440)
 | This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages)
The following was obtained using the Ethereal protocol analyzer to capture ICMP echo request packets. To simulate this open up a terminal and type ping ip_dest -n 1 -l 65000. |
- IP fragment incomplete packet
- This exploit occurs when a packet can not be fully reassembled due to missing data. This can indicate a denial of service attack or an attempt to defeat packet filter security policies.
Sequence number: 0x0200
! 20
- To set the IP packet size equal or smaller than the directly attached medium and delegate all further fragmentation of packets to routers, meaning that routers decide if the current packet should be re-fragmented or not. This offloads a lot of work on to routers, and can also result in packets being segmented by several IP routers one after another, resulting in very peculiar fragmentation.
- RFC 791
! style="width:2.6%;"| 6 | colspan="32"|Source IP Address ! 64 ! style="width:2.6%;"| 17 | colspan="32" rowspan="4" |Options (if IHL > 5)
- IP Fragment Too Small
- If an IP fragment is too small it indicates that the fragment is likely intentionally crafted. Any fragment other than the final fragment that is less than 400 bytes could be considered too small. Small fragments may be used in denial of service attacks or in an attempt to bypass security measures or detection.
! style="width:2.6%;"| 4
20 6.615234 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=28120)
This can be accomplished by several approaches: ! style="width:2.6%;"| 13 ! Bit |-
Code: 0
! style="width:2.6%;"| 20 | colspan="32"|Destination IP Address ! style="width:2.6%;"| 14
- A 3 bit field which says if the packet is a part of a fragmented data frame or not.
! style="width:2.6%;"| 19
3 0.002929 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=2960)
! style="width:2.6%;"| 15
! style="width:2.6%;"| 5
! style="width:2.6%;"| 9
! 32
34 6.958984 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=48840)
16 6.455078 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=22200)
- ^ Hollis, Ken. "The Rose Fragmentation Attack Explained". Archived from the original on 2012-02-24. Retrieved 2013-11-25.
| colspan="8"|Protocol Internet Protocol, Src: 87.247.163.96 (87.247.163.96), Dst: 66.94.234.13 (66.94.234.13)
5 6.123046 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=5920)
! style="width:2.6%;"| 31
Exploits
! style="width:2.6%;"| 26 |-
Data (1480 bytes)
References
22 6.659179 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=31080)
No. Time Source Destination Protocol Info
39 7.090820 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=56240)
! style="width:2.6%;"| 12
- IP fragmentation buffer full
- The IP fragmentation buffer full exploit occurs when there is an excessive amount of incomplete fragmented traffic detected on the protected network. This could be due to an excessive number of incomplete fragmented packets, a large number of fragments for individual packets or a combination of quantity of incomplete packets and size/number of fragments in each packet. This type of traffic is most likely an attempt to bypass security measures or Intrusion Detection Systems by intentional fragmentation of attack activity.
! style="width:2.6%;"| 23 ! 0
Internet Control Message Protocol | colspan="13"|Fragment Offset
30 6.850586 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=42920)
28 6.806640 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=39960)
! style="width:2.6%;"| 22 ! Offsets |-
36 7.023437 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=51800)
- RFC 1858
! 32 |-
13 6.371093 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=17760)
! style="width:2.6%;"| 0 ! style="width:2.6%;"| 25 ! 8
38 7.067382 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=54760)
7 6.170898 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=8880)
Fragment Offset specifies the fragment's position within the original packet, measured in 8-byte units.
37 7.046875 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=53280)
Data (1472 bytes)
2 0.000000 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=1480)
|} ! style="width:2.6%;"| 27 ! 0
41 7.151367 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=59200)
! style="width:2.6%;"| 18 Two important points here:
Checksum: 0x6b7d
|-
| colspan="4"|IHL
According to [Kurose 2013], in one type of IP fragmentation attack "the attacker sends a stream of small fragments to the target host, none of which has an offset of zero. The target can collapse as it attempts to rebuild datagrams out of the degenerate packets."[1] Another attack involves sending overlapping fragments with non-aligned offsets, which can render vulnerable operating systems not knowing what to do, causing some to crash.[1]
9 6.239257 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=11840)
| colspan="16"|Total Length
Fragmentation for evasion
! style="width:2.6%;"| 29 ! Bit
 | This article may be too technical for most readers to understand. (April 2014) |
18 6.550781 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=25160)
45 7.258789 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=65120)
Frame 1 (1514 bytes on wire, 1514 bytes captured)
12 6.327148 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=16280)
! 4 ! style="width:2.6%;"| 28 ! style="width:2.6%;"| 21
23 6.682617 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=32560) 11 6.302734 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=14800) Ethernet II, Src: OmronTat_00:00:00 (00:00:0a:00:00:00), Dst: 40:0f:20:00:0c:00 (40:0f:20:00:0c:00) 25 6.743164 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=35520)| 28
Flags: |
1 | |||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
96
35 6.983398 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=50320) |
24 | 3
|
16 | 0 | DF | MF | Fragment Offset | Header Checksum | Version
44 7.214843 87.247.163.96 66.94.234.13 IP Fragmented IP protocol (proto=ICMP 0x01, off=63640)
Network infrastructure equipment such as routers, load-balancers, firewalls and IDS have inconsistent visibility into fragmented packets. For example, a device may subject the initial fragment to rigorous inspection and auditing, but might allow all additional fragments to pass unchecked. Some attacks may use this fact to evade detection by placing incriminating payload data in fragments. Devices operating in "full" proxy mode are generally not susceptible to this subterfuge. The source system sets "Identification" field in each packet to a unique value for all packets which use the same source IP address, destination IP address, and "Protocol" values, for the lifetime of the packet on the internet. This way the destination can distinguish which incoming fragments belong to a unique packet and buffer all of them until the last fragment is received. The last fragment sets the "More Fragment" bit to 0 and this tells the receiving station to start reassembling the data if all fragments have been received. |
|||||||||||||||||||||||||||||||||||||