IP fragment attack

来源:本站原创 CISCO 超过5,037 views围观 0条评论

 

IP fragment attack2007-04-22 09:29

所谓Tiny fragment攻击是指通过恶意操作,发送极小的分片来绕过包过滤系统或者入侵检测系统的一种攻击手段。攻击者通过恶意操作,可将TCP报头(通常为20字节)分布在2个分片中,这样一来,目的端口号可以包含在第二个分片中。
对于包过滤设备或者入侵检测系统来说,首先通过判断目的端口号来采取允许/禁止措施。但是由于通过恶意分片使目的端口号位于第二个分片中,因此包过滤设备通过判断第一个分片,决定后续的分片是否允许通过。但是这些分片在目标主机上进行重组之后将形成各种攻击。通过这种方法可以迂回一些入侵检测系统及一些安全过滤系统。

IP分片的理解
IP协议在传输数据包时,将数据报文分为若干分片进行传输,并在目标系统中进行重组。这一过程称为分片( fragmentation)。 IP 分片(Fragmentation)发生在要传输的IP报文大小超过最大传输单位MTU(Maximum Transmission Unit)的情况。比如说,在以太网(Ethernet)环境中可传输最大IP报文大小(MTU)为1500字节。如果要传输的报文大小超过1500字节,则需要分片之后进行传输。由此可以看出,IP分片在网络环境中是经常发生的事件。但是,如果经过人为的恶意操作的分片,将会导致拒绝服务攻击或者迂回路由器、防火墙或者网络入侵检测系统(NIDS)的一种攻击手段。
为到达目标主机之后能够正常重组,各分片报文具有如下信息:
* 各IP分片基于IP分片识别号进行重组,识别号相同的重组为相同的IP报文。IP分片识别号长度为16位,叫做“IP identification number”或者“fragment ID”。
* 各分片具有从原始报文进行分片之前的分片偏移量以确定其位置。
* 各分片具有分片数据长度,其中20字节IP包头不包含在该数据长度中。即,传输1500字节的数据时,实际数据长度为1480(1500-20)字节。
* 当每个分片之后还存在后续的分片时,该分片的ME(More Fragment)标志位为1。

————————————————————————————————————

An Analysis of Fragmentation Attacks
Jason Anderson
March 15, 2001

Introduction

Fragmentation is the term given to the process of breaking down an IP datagram into smaller packets to be transmitted over different types of network media and then reassembling them at the other end. This process is an integral part of the IP protocol and is covered in depth in RFC 791.

This paper will give a brief description of fragmentation, describe some common fragmentation attacks and look at some of the measures used to prevent them. It will also discuss some of the problems fragmentation attacks have on two widely used commercial firewall and IDS packages.

IP Fragmentation

So what is fragmentation and is it always bad?

Well the answer to this question is a definite no. As discussed earlier fragmentation is an integral part of the IP protocol and without it the Internet could not operate, as we know it today.

Fragmentation is necessary in order for traffic, which is being sent across different types of network media to arrive successfully at its intended destination. The reason for this is that different types of network media and protocols have different rules involving the maximum size allowed for datagrams on its network segment. This is known as the maximum transmission unit or MTU.

So in order to transmit a datagram across a network segment which has a MTU smaller than that of the packet to be transmitted fragmentation is required.

In order for a fragmented packet to be successfully reassembled at the destination each fragment must obey the following rules:

  • Must share a common fragment identification number. Also known as fragment Id.
  • Each fragment must say what its place or offset is in the original unfragmented packet.
  • Each fragment must tell the length of the data carried in the fragment.
  • Finally the fragment must know whether more fragments follow this one.

All of this information will be contained in the IP header. The header will be placed in an IP datagram followed by an encapsulated fragment (TCP/IP for Firewalls and Intrusion Detection Course notes SANS Darling Harbour).

The following diagram shows the breakdown of an IP fragment, which displays the elements as stated above.

文章出自:CCIE那点事 http://www.jdccie.com/ 版权所有。本站文章除注明出处外,皆为作者原创文章,可自由引用,但请注明来源。 禁止全文转载。
本文标题:IP fragment attack
本文链接:http://www.jdccie.com/?p=1722转载请注明转自CCIE那点事
如果喜欢:点此订阅本站