Title Common IP Debrils Detailed Zcatlinux [Original] Keyword Common IP Debrilate Attack Details Out this article This article briefly introduces the IP fragmentation principle, combined with Snort capture results, analyze the principle and characteristics of common IP debris attacks, and finally prevent IP fragment attack Give some suggestions. I hope to help deepen the IP protocol and some DOS attack methods. 1. Why is IP debris - = - = - = - = - = - = - = - = - = - = - = link layer has the maximum transmission unit MTU, which limits the maximum length of the data frame, different There is an upper limit value in the network type. Ethernet's MTU is 1500, you can view this value with the netstat -i command. If the IP layer has a packet to pass, and the length of the packet exceeds the MTU, then the IP layer is fracing the data packet, so that each piece is less than or equal to the MTU. We assume that you want to transmit a UDP packet, the Ethernet's MTU is 150 bytes, and the general IP first is 20 bytes. The UDP head is 8 bytes, and the PAYLOAD is part reserved for 1500-20-8. = 1472 bytes. If the data part is greater than 1472 bytes, fragmentation occurs. The IP header contains information needed for fragmentation and reorganization: - - - - - - - - - - - - - - - - - - - - - - | Identification | R | DF | MF | Fragment Offset | - - - - - - - - - - - - - - - - - - - | <------------- 16 --------------> | <- 3 -> | <---- ----- 13 ----------> | Identification: The IP packet identification field sent by the sender is a unique value that is copied to each piece when fragmentation. R: Reserved unused. DF: DON't Fragment, "No Split" bits, if this ratio is 1, the IP layer will not slide the datagram. MF: More Fragment, "More Table", except for the last text, other pieces of the other components need to set the bit 1. FRAGMENT OFFSET: The slice is offset from the start of the original packet. The number of bytes of the offset is that this value is multiplied by 8. Further, after the data is reported, the total length value of each sheet is changed to the length value of the sheet. Each IP fragmentation is routing. After arriving at the host, the IP layer is reorganized. Please rest assured that the data in the header can correctly complete the restructuring of the fragmentation.
You can't help but ask, since slice can be reorganized, how is the so-called debris attack? 2. IP fragment attack - = - = - = - = - = - = - = - = - = - = - = IP header has two bytes represent the length of the entire IP packet, so the IP packet can only 0xffff is 65535 bytes. If you intend to send an IP fragment of more than 65535, some old system kernels will have problems when processing, resulting in crash or denial of service. In addition, if the offset between the fragments is carefully constructed, some systems cannot be processed, resulting in a crash. Therefore, the cause of the vulnerability is in the recombination algorithm. Below we analyze some famous fragment attack procedures to learn how people have an IP fragment to attack the system. 3. ping o 'death - = - = - = - = - = - = - = - = - = - = - = ping o' Death is a debris attack using the ICMP protocol. The attacker sends a length of the Echo Req uest packet with more than 65535. The target host will cause the 65535 byte buffer overflow to allocate in advance when the restructuring is restricted, and the system usually crashes or hangs. Is Ping not sending an ICMP Echo Request packet? Let's try to attack it! Regardless of the length of IP and ICMP, the length of the data is more beneficial, 65535, send a package: # ping -c 1 -s 65535 192.168.0.1 error: packet size 65535 is too large. Maximum is 65507 is not lucky, it seems Linux comes with PING does not allow us to do bad things. :( 65507 is how it calculates: 65535-20-8 = 65507. Ping underwin2k is more exciting, data only allows 65,500 size. So you have to find another program to send bags, but the new version of the operating system has already set this Defect, so you still continue to read this article. By the way, remember that "patriotism" ("Hongke" ("Hongke" Senior) launched a national netizen starting ping a US site, trying to death Remote server. This is actually a ping flood attack. It is not the same as the response speed and blocking target network with a large number of Echo Request packages, principles and ping o 'death. 4. jolt2 - = - = - = - = - = - = - = - = - = - = - = jolt2.c is the IP block of ICMP / UDP in a dead cycle, so that the machine's machine's machine is locked I tested the Windows 2000 that didn't play SP. The CPU utilization will rise immediately to 100%. The mouse cannot be moved. We use Snort to capture the packets sent by ICMP and UDP protocols.
Sended ICMP Package: 01/07-15: 33: 26.97-15: 33: 26.0.9 -> 192.168.0.1 ICMP TTL: 255 TOS: 0x0 ID: 1109 Iplen: 20 DGMLEN: 29 Frag Offset: 0x1ffe Frag Size: 0x9 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ......... Send UDP Package: 01/10-14: 21: 00.298282 192.168.0.9 -> 192.168.0.1 UDP TTL: 255 TOS: 0x0 ID: 1109 Iplen: 20 DGmlen : 29 Frag Offset: 0x1ffe Frag Size: 0x9 04 D3 04 D2 00 09 00 00 61 ........ A from the above results can be seen: * Split flag bit Mf = 0, the last minute sheet. * The offset is 0x1ffe, the length of the recombination is (0x1ffe * 8) 29 = 65549> 65535, overflow. * The ID of the IP package is 1109, which can be used as a feature of IDS detection. * ICMP package: Type 8, code is 0, is Echo Request; checksum is 0x0000, the program does not calculate the check, so it is exactly that this ICMP package is illegal. * UDP package: Destination port is specified by the user in the command parameter; the source port is the result of the destination port and 1235; the checksum is 0x0000, the same as ICMP, no calculation, illegal UDP. There is only one character 'a' in the payload. Jolt2.c should be able to fake the source IP address, but the source program does not assign the user to the IP address to be assigned to SRC_A DDR, and do not know if the author is deliberate. Jolt2 has considerable, through non-sending this offset packet, not only deadlocks unpredictable Windo WS system, but also greatly adds network traffic. Once people use Jolt2 to simulate network traffic, test the attack detection efficiency of IDS under high load traffic, is to use this feature. 5. Teardrop - = - = - = - = - = - = - = - = - = - = - = TearDrop is also relatively simple, and the two UDP packets can be sent by default to make some Linux kernels crash. The results of Snort are as follows: 1: 01/08-11: 42: 21.0.9 -> 192.168.0.1 UDP TTL: 64 TOS: 0x0 ID: 242 Iplen: 20 DGmlen: 56 MF Frag Offset: 0x0 Frag Size: 0x24 A0 A8 86 C7 00 24 00 00 00 00 00 00 00 00 00 00 ..... $ .......... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 .... * mf = 1, offset = 0, the first one of the slice IP package.
* Structure Figure: | <------- 20 --------> | <------ 8 ------> | <--------- ------ 28 ----------------> | - - - - - - - - - - - - - - - - - | ip | UDP | Data | - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2: 01/08-11: 42: 21.98583 192.168.0.1 UDP TTL: 64 TOS: 0x0 ID: 242 Iplen: 20 DGmlen: 24 Frag Offset: 0x3 Frag Size: 0x4 A0 A8 86 C7 .... * mf = 0, offset = 0x3, the number of offset by 0x3 * 8 = 24, the last fragmentation. * Structure map: | <------- 20 --------> | <- 4 -> | - - - - - - - - - - | ip | DATA | - - - - - - - - - If you modify the source code, The offset of the second IP package can also be 0x4, and the number of offset bytes is 0x4 * 8 = 32.
The following structural diagram represents the process of receiving end recombinant fractions, respectively corresponds to two cases of the number of offset bytes of 24 and 32: | <------- 20 --------> | <------ 8 ------> | <--------------------------------> | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | IP | UDP | Data | - - - - - - - - - - - - - - - - - | | - | <------------- 24 -------------> | Data | | - - - | <- 4 -> | | | - | <------------------ 32 ------------------> | DATA | | - | <- 4 -> | It can be seen that the second IP package The offset is less than the displacement of the end of the first piece, and the DATA of the second sheet IP package has not exceeded the end of the first piece, which is overlap. Old Linux kernel (1.x - 2.0.x) There is a problem when processing this overlapping slice, and Winnt / 95 will also crash when receiving 10 to 50 TEARDROP fragmentation. You can read the source code of Teardrop.c to learn how to construct and send this packet. 6. How to prevent IP debris attack - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = * Windows system Please play the latest service pack, the current Linux kernel is not affected. * If possible, disable the fragmentation package on the network boundary, or use iptables to limit the number of fragments per second. * If the firewall has the function of recombinant fragmentation, make sure itself doesn't have a problem, otherwise it will affect the entire network by DOS. * Win2K system, custom IP security policies, set "Debrilate Check".
7. More information - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = [1] TCP / IP Illustracted Volume 1: The Protocols [2] Microsoft Security Bulletin MS00-029: HTTP : //www.microsoft.com/technet/security/bulletin/ms00-029.asp [3] Bugtraq Mailing List, "Analysis of jolt2.c (ms00-029)": http://www.securityfocus.com/ Archive / 1/62011 [4] http://www.attrition.org/security/denial/w/teardrop.dos.html [5] http://packetStorMsecurity.org/0005- Exploits/jolt2.c [6] http://packetStormsecurity.org/exploit_code_archive/teardrop.c author BLOG:
http://blog.9cbs.net/zcatlinux/
related articles
Adore Rootkit Analysis Rootkit Overview iptables Configuration Tools Compare Topics: Windows to Linux: Part 9. Installing Software Topics: Windows to Linux Tour: Part 8. Backup and Recovery