ITIS 6167/8167: Network and Information Security

1
ITIS 6167/8167 Network and Information Security

• Weichao Wang

2
Contents

• IP fragmentation and attacks
• IP protocol
• IP fragmentation
• Attacks
• Mitigation mechanisms

3
(No Transcript)
4
IP protocol and fragmentation

• IP layer provides the fundamental service in
  Internet unreliable, connectionless, and
  best-effort based packet delivery
• Unreliable packet may lost, duplicated, delayed,
  out of order
• Connectionless every packet is handled
  independently
• Best-effort no quality guarantee

5

• IP protocol will
• Define the format of IP packet
• Routing
• Determine
• Packet processing procedures
• Error reporting and handling procedures
• When the packets can be discarded

6
IP encapsulation

• In ethernet, frame type for IP is 0x0800

IP header IP Data
7
IP format
8

• Details of IP packet
• Vers current version is 4
• HLEN header length in 32 bit word. Usually is 5
  (20 byte), max can be 60 bytes (IP options)
• Type of services usually all 0 (best effort),
  can be used for diffserv and QoS.
• 3 bit of precedence, 4 bit of TOS, 1 bit unused
• TOS bit 1 (min delay), 2 (max throughput), 3 (max
  reliability), 4 (min cost)
• Total length 16 bit can represent 64K byte long
  packet

9

• Identification, flags, and offset used for
  fragmentation and reassemble (later)
• TTL time to live number of routers or seconds a
  packet can live.
• Every router will reduce this value by one. When
  reach 0, the packet will be discarded.
• Can be used to prevent routing loop
• Use TTL to implement traceroute

10

• -bash-3.1 ping -i 7 dell.com
• PING dell.com (143.166.224.244) 56(84) bytes of
  data.
• From kcm-edge-15.inet.qwest.net (65.120.164.89)
  icmp_seq1 Time to live exceeded
• From kcm-edge-15.inet.qwest.net (65.120.164.89)
  icmp_seq2 Time to live exceeded

11

• Type the high level protocol the IP packet
  contains ICMP (0x01), TCP (0x06), UDP (0x11)
• Header checksum
• calculate only over header
• Re-compute at every hop (why)
• Example an ICMP packet b/w 128.10.2.3 and
  128.10.2.8. Header length is 20 bytes.

12
(No Transcript)
13

• IP header options
• Record route option
• Intermediate routers will attach their IP address
  to the packet
• Timestamp option
• Intermediate router attach 32 bit timestamp
• Source routing option
• Strict source routing
• Loose source routing allow multiple hops b/w
  routers

14
(No Transcript)
15

• IP fragmentation
• Why do we need it
• MTU maximum transmission unit
• An IP packet can be as large as 65535 byte
• Different hardware have different MTU ethernet
  1500, FDDI 4470

16
(No Transcript)
17

• IP fragmentation
• Routers divide an IP datagram into several
  smaller fragments based on MTU
• Fragments use the same header format as the
  original datagram
• Each fragment is routed independently

18

• How to fragment
• IDENT unique number to identify an IP datagram
  fragments with the same identifier belong to the
  same IP datagram
• Fragment offset
• Specify where the data belong in the original
  packet
• Multiple of 8
• Use 13 bits (why do we only need 13 bits)

19

• FLAGs
• Bit 0 reserved
• Bit 1 do not fragment (if this bit is set and
  the MTU is not large enough, we send out ICMP to
  report this)
• Bit 2 more fragment this bit is turned off in
  the last segment. (why we need this bit so we
  can calculate the length of the original packet)

20
(No Transcript)
21

• Example
• Original packet header 400 400 400
• Header 1 FLAG 001, OFFSET 0
• Header 2 FLAG 001, OFFSET 400/850
• Header 3 FLAG 000, OFFSET 800/8100

22

• Fragment of fragment
• Need to pay special attention of the FLAG bits
• Reassemble
• Reassembled before delivered to higher layers
• Where to reassemble router or destination, why??
  (not only efficiency)
• Use a timer to handle lost fragment and discard
  the whole packet

23
(No Transcript)
24

• Malicious activities on fragmentation
• What if we never receive the last piece
• Overlapping fragment
• The reassembled packet is larger than the allowed
  IP packet size (how can attackers do this)

25

• Attack 1 DoS attack
• 1st fragment offset 0
• 2nd fragment offset 64800
• Result now the machine will allocate 64K memory,
  and usually will hold it for 15 to 255 seconds.
• Who are vulnerable Win2K, XP, most versions of
  UNIX

26

• Attack 2 TearDrop
• Fist packet
• payload size N,
• More fragment bit on
• 2nd fragment
• More fragment bit off
• Offset payload lt N
• If the user assume that the packet should become
  longer and longer, may cause machine crash

27

• Overlapping attacks against Firewall
• Many firewalls inspect packet without reassemble.
  If the TCP header is fragmented and the filter
  rule is based on TCP, it may fail
• Firewall examine the SYN bit
• Tiny fragment attack Firewall only check the
  first fragment. The minimum fragment is 68 bytes
  (ICMP requirement), but the SYN bit maybe fall
  into the 2nd fragment with IP option.
• Overlapping attack allow packet overlapping
  during reassemble. Then the checked segment may
  looks ok. But will be overlapped later.

28

• IP spoofing
• Spoofing
• An attacker sends packet with another nodes IP
  address
• Replies will be routed to the victim
• Egress filtering
• Remove packets that cannot come from your network
• Ingress filtering
• Remove packet from invalid address

29

• Router and Host
• Router usually connects to multiple networks
• Host only connect to one
• Routing table
• Used by routers to determine next hop
• When determining which entry to use, usually use
  the one with the longest match
• Next hop routing
• Destination IP address will not change, only the
  next hops MAC address is used

30

• Default route
• When no other entry matches the routing request
• Routing procedure
• Extract destination IP D and compute the network
  prefix N
• Is N the same network
• What is the routing entry with the longest match
• What is the default route
• Report error

31

• Handling income packets
• Host accept or discard, Do not forward. Why?
• Router
• Decrease TTL, recompute the checksum
• If TTL 0 drop the packet and send an error
  message to source