This paper briefly introduces the IP fragmentation principle, and combines the Snort capture results to analyze the principles and characteristics of common IP fragment attacks.
Finally, some suggestions are given to block IP debris attacks. I hope to help deepen the IP protocol and some DOS attack methods.
1. Why is IP fragmentation?
- = - = - = - = - = - = - = - = - = - = - =
The link layer has the characteristic of the maximum transmission unit MTU, which limits the maximum length of the data frame, and the different network types have one.
A upper limit. Ethernet's MTU is 1500, you can view this value with the netstat -i command. If the IP layer has a packet
To pass, and the length of the packet exceeds the MTU, then the IP layer is divided into a fragmentation of packets.
Make each piece of length is less than or equal to MTU. We assume that you want to transfer a UDP packet, Ethernet's MTU is 150
0
Bytes, general IP first is 20 bytes, UDP first is 8 bytes, and the payload part is reserved.
1500-20-8 = 1472 bytes. If the data part is greater than 1472 bytes, fragmentation occurs.
The IP header contains information needed for fragmentation and reorganization:
- - - - - - - - - - - - - - - -
| Identification | R | DF | MF | FRAGMENT OFFSET |
- - - - - - - - - - - - - - - -
| <------------- 16 --------------> | <- 3 -> | <------- 13 ----------> |
Identification: IP packet identification field sent by the sender is a unique value, which is copied when fragmentation
Each piece.
R: Reserved unused.
DF: DON't Fragment, "No Split" bits, if this ratio is 1, the IP layer will not slide the datagram.
MF: more fragment, "More Table", in addition to the last text, other films of each constituent newsletter must put Bit
Set one.
FRAGMENT OFFSET: The slice is offset from the start of the original packet. The number of bytes of the offset is that this value is multiplied by 8.
Further, after the data is reported, the total length value of each sheet is changed to the length value of the sheet.
Each IP fragment is routing. After arriving at the host, you will be reorganized in the IP layer. Please rest assured that the data in the first part can be completed correctly.
Splitting recombinant. You can't help but ask, since slice can be reorganized, how is the so-called debris attack?
2. IP fragment attack
- = - = - = - = - = - = - = - = - = - = - =
The IP header has two bytes represent the length of the entire IP packet, so the maximum IP packet can only be 0xfff, which is 65535 bytes. If you intend to send an IP fragment of the total length of more than 65535, some old system kernel will have problems when processing.
,
Leading to crash or denial. In addition, if the offset between the fragments is carefully constructed, some systems cannot be processed.
Causes crash. Therefore, the cause of the vulnerability is in the recombination algorithm. Below we analyze some famous fragment attacks one by one
Hit the program to understand how people have an IP fragment to attack the system.
3. ping o 'Death
- = - = - = - = - = - = - = - = - = - = - =
Ping O 'Death is a fragmentation attack using the ICMP protocol. An attacker sends a length of more than 65535 Echo Req
UEST
Packet, the target host will cause the 65535 byte buffer overflow to allocate in advance when the restructuring is restricted, and the system is usually
It will crash or hang. Is Ping not sending an ICMP Echo Request packet? Let's try to attack it!
Regardless of the length of IP and ICMP, the length of the data is anything more beneficial, with 65535, send a package:
# ping -c 1 -s 65535 192.168.0.1
Error: packet size 65535 is too large. Maximum is 65507
Don't walk, it seems that Linux comes with PING does not allow us to do bad things. ()
65507 is it calculated: 65535-20-8 = 65507. Ping under win2k is more exciting, and the data only allows 65,500 sizes.
So you have to find another program to send bags, but the new version of the operating system has already got this defect, so you
also
It is going to read this article.
By the way, I remember that "patriotic hackers" in 1999 ("Hongke" seniors) launched a national netizens at a certain moment.
Starting a US site, trying to ping the dead remote server. This is actually a ping flood attack, with a lot of echo
The response speed and blocking target network, principle and ping o 'death are different, this is
tell apart.
4. jolt2
- = - = - = - = - = - = - = - = - = - = - =
Jolt2.c is an IP fragment that is constantly sending an ICMP / UDP in a dead cycle, allowing the Windows system to die
lock. I tested the Windows 2000 that didn't play SP, and the CPU utilization will rise immediately to 100%, and the mouse cannot be moved.
We use SNORT to capture packets sent by ICMP and UDP protocols, respectively.
Sended ICMP package:
01 / 07-15: 33: 26.974096 192.168.0.9 -> 192.168.0.1
ICMP TTL: 255 TOS: 0x0 ID: 1109 Iplen: 20 DGMLEN: 29
Frag Offset: 0x1ffe Frag Size: 0x9
08 00 00 00 00 00 00 .........
Send UDP package:
01 / 10-14: 21: 00.298282 192.168.0.9 -> 192.168.0.1
UDP TTL: 255 TOS: 0x0 ID: 1109 Iplen: 20 DGMLEN: 29
Frag Offset: 0x1ffe Frag Size: 0x9
04 D3 04 D2 00 09 00 00 61 ........ a
As can be seen from the results:
* Split flag bit Mf = 0, indicating that the last fragmentation. * The offset is 0x1ffe, the length of the recombination is (0x1ffe * 8) 29 = 65549> 65535, overflow.
* The ID of the IP package is 1109, which can be used as a feature of IDS detection.
* ICMP package:
The type is 8, the code is 0, which is echo request;
The checksum is 0x0000, and the program does not calculate the verification, so it is exactly that this ICMP package is illegal.
* UDP package:
The destination port is specified by the user in command parameters;
The source port is the result of the destination port and 1235;
The checksum is 0x0000, like ICMP, no calculation, illegal UDP.
There is only one character 'a' in the payload.
Jolt2.c should be able to fake the source IP address, but the source program does not assign the user to the IP address to be assigned to SRC_A.
DDR,
I don't know if the author is deliberate.
Jolt2 has a fair, through non-seeding, the offset is very large, not only deadlocks do not play the patch.
WS
The system also greatly increases network traffic. Once people use jolt2 to simulate network traffic, test IDS in high load
Attack detection efficiency under traffic is to use this feature.
5. TEARDROP
- = - = - = - = - = - = - = - = - = - = - =
Teardrop is also relatively simple, and two UDP packets are sent by default, some Linux kernel can crash. Snort crawling
Fruits are as follows:
First:
01/08-11: 42: 21.985853 192.168.0.9 -> 192.168.0.1
UDP TTL: 64 TOS: 0x0 ID: 242 Iplen: 20 DGMLEN: 56 MF
FRAG OFFSET: 0x0 Frag Size: 0x24
A0 A8 86 C7 00 24 00 00 00 00 00 00 00 ..... ........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00-
00 00 00 ....
* Mf = 1, offset = 0, the first one of the slice IP packets.
* Interface:
| <------- 20 --------> | <------ 8 ------> | <------------- --28 ----------------> |
- - - - - - - - - - - - - - - - - -
| IP | UDP | DATA |
- - - - - - - - - - - - - - - - - -
the second:
01/08-11: 42: 21.985853 192.168.0.9 -> 192.168.0.1
UDP TTL: 64 TOS: 0x0 ID: 242 Iplen: 20 DGMLEN: 24
Frag Offset: 0x3 Frag Size: 0x4
A0 A8 86 C7 ....
* Mf = 0, offset = 0x3, the number of offset by 0x3 * 8 = 24, the last fragmentation.
* Interface:
| <------- 20 --------> | <- 4 -> |
- - - - - -
| IP | DATA |
- - - - - -
If the source code is modified, the offset of the second IP package can also be 0x4, and the number of offset bytes is 0x4 * 8 = 32.
The following structural diagram represents the process of receiving end recombinant fractions, respectively corresponds to two cases of the number of offset bytes of 24 and 32:
| <------- 20 --------> | <------ 8 ------> | <------------- --28 ----------------> |
- - - - - - - - - - - - - - - - - -
| IP | UDP | DATA |
- - - - - - - - - - - - - - - - - -
|
| - -
| <------------- 24 -------------> | DATA |
| - -
| <- 4 -> |
|
| - -
| <------------------- 32 ------------------> | DATA |
| - -
| <- 4 -> |
It can be seen that the offset of the second IP package is less than the displacement of the end of the first piece, and counts the DATA of the second IP package, nor
More than the first tail, this is overlap. Old Linux kernel (1.x - 2.0.x) is handling this
There is a problem when it is overlapping, and WinNT / 95 will also crash when receiving 10 to 50 TEARDROP fragmentation. You can
Read the source code for Teardrop.c to learn how to construct and send this packet.
6. How to prevent IP debris attack
- = - = - = - = - = - = - = - = - = - = - = * Windows system Please play the latest service pack, the current Linux kernel is not affected.
* If possible, disable the fragmentation package on the network boundary, or use iptables to limit the number of fragments per second.
* If the firewall has the function of recombinant fragmentation, make sure itself does not have a problem, otherwise it will affect the entire network by DOS.
.
* Win2K system, custom IP security policies, set "Debrilate Check".
7. More information
- = - = - = - = - = - = - = - = - = - = - =
[1] TCP / IP Illustracted Volume 1: The Protocols
[2] Microsoft Security Bulletin MS00-029:
http://www.microsoft.com/technet/security/bulletin/ms00-029.asp
[3] Bugtraq Mailing List, "Analysis of jolt2.c (ms00-029):
http://www.securityfocus.com/archive/1/62011
[4] http://www.attrition.org/security/denial/w/teardrop.dos.html
[5] http://packetStormsecurity.org/0005-exploits/jolt2.c
[6] http://packetStormsecurity.org/exploit_code_archive/teardrop.c