4-1 IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 1 IP Behavior II Frag men ta tion Hello, my name is Judy Novak, I work for Jacob and Sundstrom in the Computer Security and Incident Response Team at the Army Research Lab as a security analyst. Stephen Northcutt invited me to develop this talk because fragmentation is so important to understand if you are responsible for computer and network security. I’d like to take a moment to give credit and gratitude to my technical editor, Bill Ralph of the Naval Surface Warfare Center Shadow team. Attackers use fragmentation to mask their probes and exploits. Some intrusion detection systems do not support packet reassembly and therefore do not detect activity where the signature is split over multiple datagrams. There are availability, or denial of service attacks such as ssping, that use highly fragmented traffic to exhaust system resources. Finally, some sophisticated persons of mal-intent use fragmentation to try to circumvent filtering routers. These are all reasons that you may want to learn about fragmentation, the topic of the webcast. By understanding how this facet of IP works, you will be equipped to detect and analyze fragmented traffic and discover if it is normal fragmentation or fragmentation used for other purposes. 4-2 IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 2 Objectives • Discuss fragmentation concepts • Examine “normal” fragmentation • Examine “abnormal” fragmentation We will look at fragmentation to see what is happening at the datagram level. We need to be aware of “normal” fragmentation before we can identify “abnormal”; we’ll examine both of these in today’s webcast. 4-3 IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 3 Normal Fragmentation Fragmentation can be a very normal and naturally occurring effect of traffic travelling among variously sized networks. We will consider the theory and composition of normal fragmentation first to acquaint you with how it should operate. 4-4 IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 4 Fragmentation Theory • Occurs when maximum transmission unit (MTU) smaller than datagram • Reassembled by destination host • Can be used to bypass routers or intrusion detection systems The next slide is titled “Fragmentation theory”. Fragmentation occurs when an IP datagram travelling on a network has to traverse a network with a maximum transmission unit (MTU) that is smaller than the size of the datagram. For instance, for Ethernet, the maximum transmission unit or maximum size for an IP datagram is 1500 bytes. If a datagram needs to traverse an Ethernet network and is larger than 1500 bytes, it will have to be fragmented by a router that is directing it to the Ethernet network. Fragmentation can also occur when a host needs to put a datagram on the network that exceeds the MTU; in some instances this will be fragmented. Fragments will continue on to their destination where they will be reassembled by the destination host. It is even possible for fragments to become further fragmented if they cross an MTU smaller than the fragment size. While fragmentation is a perfectly normal and naturally occurring event, it is possible to craft fragments for the purposes of avoiding detection by routers and intrusion detection systems that don’t deal well with fragmentation. 4-5 IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 5 More Fragmentation Theory • Reassembled by the receiving host • All fragments: – Must share a common fragment identification number – Must tell what offset in original unfragmented datagram – Must tell length of data payload – Must tell whether another fragment follows this one • Each fragment encapsulated in IP datagram Continuing with concepts on slide “More fragmentation theory”, we examine what kind of information the fragments must carry for the destination host to reassemble them back to the original unfragmented state. This information is: • A common fragment identification number. This is cloned from a field in the IP header known as the IP identification number, also called the fragment ID • Each fragment must say what its place or offset is in the original unfragmented packet • Each fragment must tell the length of the data carried in the fragment • Finally, the fragment must know whether more fragments follow this one This information will be contained in the IP header. The IP header will be placed in an IP datagram followed by an encapsulated fragment. All TCP/IP traffic must be wrapped within IP because IP is the protocol responsible for getting the packet delivered. 4-6 IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 6 The Fragment ID • Each fragment has identifying number - fragment ID • Taken from IP identification field • Value set by a host sending datagram • Value usually increases by 1 for each new datagram sent • tcpdump output of unfragmented datagram IP identification value: ping.com > 192.168.244.2: icmp: echo request (ttl 240, id 202) Slide “The fragment ID” examines the origin of the field that identifies fragments. The IP identification value is a 16 bit field found in the IP header of all datagrams. This uniquely identifies each datagram sent by the host. Typically, this value is incremented by 1 for each datagram sent by that host. When the datagram becomes fragmented, all fragments created from this datagram will contain this same IP identification number, or the fragment ID. The tcpdump output in this slide shows an IP identification number of 202 for a datagram that is not fragmented. If this datagram were to be fragmented on the way to its destination, all fragments created from this datagram would share a fragment ID of 202. This tcpdump output was generated using the -vv option. This is a verbose option which says to list the time to live value and the IP identification values along with normal output. 4-7 IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 7 Ethernet Datagram Packaging Ethernet (MTU = 1500) 20 byte IP header 1480 bytes of embedded data Turning to the slide “Ethernet datagram packaging”, we see that a datagram travelling on Ethernet has a maximum transmission unit of 1500 bytes. Each datagram must have an IP header which is typically 20 bytes, but can be more if IP options are included. If you recall, the IP header contains information such as the source and destination IP numbers. It is considered the “network” portion of the IP datagram since routers use the information found in the IP header to direct the datagram towards its destination. Encapsulated after the IP header is some kind of data. This data can be an IP protocol such as tcp, udp or ICMP. For instance, if this data were tcp, it would include a tcp header and tcp data. 4-8 IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 8 Fragmentation using ICMP echo request ICMP data IP header ICMP header 20 8 4000 bytes of ICMP data 4028 total bytes in IP datagram Ethernet MTU = 1500 1500 bytes 1500 bytes 1068 bytes (ICMP echo request) Original 4028 byte fragment broken into 3 fragments of 1500 bytes or less On slide “Fragmentation using an ICMP echo request”, we have a datagram of 4028 bytes. This is an ICMP echo request bound for an Ethernet network that has an MTU of 1500. So, the 4028 byte datagram will have to be divided into fragments of 1500 bytes or less. Each of these 1500 byte fragmented packets will have a 20 byte IP header so that leaves 1480 bytes maximum for data for each fragment. Let’s examine what each of the individual three fragments looks like. Normally, you shouldn’t encounter a 4,000+ byte echo request. And, if you do, examine it until you become cross-eyed because something isn’t kosher. The reason that this was used for the example and for instructive purposes is that in the Windows ping, there is a -l switch that allows you to say how big you want the echo request to be. This allowed the generation and capture by tcpdump of the packets you see in the upcoming several slides to validate all the information delivered to you is correct. 4-9 IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 9 The Breakdown ICMP data 20 8 4000 bytes of ICMP data 4028 total bytes in pre-fragmented IP datagram 1472 ICMP data 1480 ICMP data 1048 1500 1500 1068 1472 + 1480 + 1048 = 4000 bytes of ICMP data = 20 byte IP header Looking at the slide, “The Breakdown”, let’s see how each fragment is actually formed. Before the IP datagram is sent on the link that has an MTU of 1500 bytes, we see that is has a total of 4028 bytes total. What we have seen is that this IP datagram will be divided into three separate fragments each with a cloned IP header. The original header is paired with the first fragment and two new headers of 20 bytes each have to be created for the second and third fragments. So, we really need a total of 4068 bytes to send all of this traffic. The first fragment gets the original IP header, along with the 8 bytes of the ICMP header for a running total of 28 bytes. With a maximum datagram size of 1500 bytes, 1472 bytes remain for ICMP data. The second fragment gets a cloned IP header of 20 bytes, and has the remaining 1480 bytes for ICMP data. The final fragment again gets a 20 byte IP header and carries the final 1048 bytes of ICMP data. As a cross check, we see that we have 1500 + 1500 + 1068 bytes of data sent for a total of 4068 bytes. 4-10 IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 10 The first fragment IP header ICMP header ICMP echo request 20 8 1472 Offset = 0 Length = 1480 More Fragments = 1 ICMP data IP Header 1500 total bytes ICMP dataIP Header 20 8 1472 Looking at the slide “The first fragment” we turn our concentration to the initial fragment in the fragment train. The “original” IP header will be cloned to contain the identical fragment identification numbers for the first and remaining fragments. Remember, all fragments must be carried in an IP datagram. An IP datagram requires an IP header to direct it to its destination. The first fragment is the only one that will carry with it the ICMP message pseudo-header. As we see, the first fragment has a 0 offset, a length of 1480 bytes, 1472 bytes of data and 8 of ICMP header, and more fragments follow so that more fragments flag is set. [...]... more fragment follows so the more fragments flag is set 4-12 Composition of the second fragment Second fragment 20 1500 total bytes in IP datagram 1480 ICMP data bytes IP Header Protocol = ICMP Fragment ID = 21223 More Fragments Flag = 1 Fragment Offset = 1480 Data Length = 1480 IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 13 Continuing with fragmentation on slide “Composition of the second fragment”,... datagrams to be smaller than the MTU of 308 so fragmentation doesn’t occur or remove the DF flag so fragmentation can occur and then resend the datagram 4-19 Malicious Fragmentation IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 We now examine the topic of fragmentation used for purposes other than the intended ones 4-20 20 Ping O’ Death fragmentation attack • Uses fragmented ICMP packets for denial of service... length – The more fragments flag • DF flag can be used for MTU discovery to avoid fragmentation • Fragmentation can be used for malicious purposes IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 28 As slide “Fragmentation review” discusses, we’ve seen where fragmentation is a normal occurrence for a datagram travelling from a larger to a smaller network If a datagram requires fragmentation along the... the first fragment First fragment 20 1500 total bytes in IP datagram 8 1472 ICMP data bytes IP Header Protocol = ICMP Fragment ID = 21223 More Fragments Flag = 1 Fragment Offset = 0 Data Length = 1480 ICMP pseudo-header Type = ICMP echo request IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 11 Slide “Composition of the first fragment” explains the configuration of the first fragment in the fragment... d) The fragment ID IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 This page intentionally left blank 4-31 31 IP Behavior Quiz 7) The Ping O’ Death exploit uses fragmentation to attempt a denial of service by: a) Sending fragments out of order b) Sending fragments that when reassembled exceed the maximum IP datagram size c) Sending fragments that exceed the MTU size d) Sending very small fragments... reassemble fragments 2) The first fragment in a normal fragment train will have the following: a) The don’t fragment flag set and a zero offset b) The more fragments flag set and a zero offset c) The don’t fragment flag set and a non-zero offset d) The more fragments flag set and a non-zero offset IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 This page intentionally left blank 4-29 29 IP Behavior. .. avoid fragmentation 4-18 tcpdump output with DF flag set and fragmentation required 11:30:55.270000 router.ru > mail.mysite.com: icmp: host.ru unreachable - need to frag (mtu 308) (DF) Send traffic to host.ru, DF set MTU = 308 Datagram too big, can’t fragment router.ru mail.mysite.com IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 host.ru 19 On slide “tcpdump output with the DF flag set and fragmentation... devices in a while 4-13 The third fragment 1048 ICMP data 20 IP Header 1048 ICMP data 1068 total bytes Offset = 2960 Length = 1048 More Fragments = 0 IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 14 Looking at the slide “The third fragment” we examine the final fragment in the fragment train Again, an IP header will be cloned from the “original” header with an identical fragment identification number,... Ping O’ Death Total byte length of fragments > 65,535 Frag 1 Frag 2 Frag3 Frag x Hostile Host Reassembled length > 65,535 65535 Victim Host IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 22 In the pictorial representation of “Ping O’ Death” slide, we see a hostile host crafting an oversized IP datagram from smaller fragments When the victim host receives these fragments and attempts to reassemble... attack used While the teardrop attack used overlapping fragments, this appears to be exploiting some kind of vulnerability with a “gap” in fragments 4-26 Unnamed Attack evilfrag.com.139 > target.net.139: udp 10 (frag 242:18@0+) evilfrag.com > target.net: (frag 242:116@48) Fragment 1 Byte 0 Missing Data Byte 17 Byte 48 Fragment 2 Byte 163 IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 27 As we study . IP Behavior II – SANS GIAC LevelTwo - ©2000, 2001 2 Objectives • Discuss fragmentation concepts • Examine “normal” fragmentation • Examine “abnormal” fragmentation. this facet of IP works, you will be equipped to detect and analyze fragmented traffic and discover if it is normal fragmentation or fragmentation used