ITIS 6167/8167: Network and Information Security

1. ITIS 6167/8167: Network and Information Security Weichao Wang

2. Contents • IP fragmentation and attacks • IP protocol • IP fragmentation • Attacks • Mitigation mechanisms

4. IP protocol and fragmentation • IP layer provides the fundamental service in Internet: unreliable, connectionless, and best-effort based packet delivery • Unreliable: packet may lost, duplicated, delayed, out of order • Connectionless: every packet is handled independently • Best-effort: no quality guarantee

5. IP protocol will • Define the format of IP packet • Routing • Determine • Packet processing procedures • Error reporting and handling procedures • When the packets can be discarded

6. IP encapsulation • In ethernet, frame type for IP is 0x0800 IP header IP Data

7. IP format

8. Details of IP packet • Vers: current version is 4 • HLEN: header length in 32 bit word. Usually is 5 (20 byte), max can be 60 bytes (IP options) • Type of services: usually all 0 (best effort), can be used for diffserv and QoS. • 3 bit of precedence, 4 bit of TOS, 1 bit unused • TOS bit 1 (min delay), 2 (max throughput), 3 (max reliability), 4 (min cost) • Total length: 16 bit can represent 64K byte long packet

9. Identification, flags, and offset: used for fragmentation and reassemble (later) • TTL: time to live: number of routers or seconds a packet can live. • Every router will reduce this value by one. When reach 0, the packet will be discarded. • Can be used to prevent routing loop • Use TTL to implement traceroute

10. -bash-3.1$ ping -i 7 dell.com PING dell.com (143.166.224.244) 56(84) bytes of data. From kcm-edge-15.inet.qwest.net (65.120.164.89) icmp_seq=1 Time to live exceeded From kcm-edge-15.inet.qwest.net (65.120.164.89) icmp_seq=2 Time to live exceeded

11. Type: the high level protocol the IP packet contains: ICMP (0x01), TCP (0x06), UDP (0x11) • Header checksum: • calculate only over header • Re-compute at every hop (why) • Example: an ICMP packet b/w 128.10.2.3 and 128.10.2.8. Header length is 20 bytes.

13. IP header options • Record route option • Intermediate routers will attach their IP address to the packet • Timestamp option • Intermediate router attach 32 bit timestamp • Source routing option • Strict source routing • Loose source routing: allow multiple hops b/w routers

15. IP fragmentation • Why do we need it • MTU: maximum transmission unit • An IP packet can be as large as 65535 byte • Different hardware have different MTU: ethernet 1500, FDDI 4470

17. IP fragmentation • Routers divide an IP datagram into several smaller fragments based on MTU • Fragments use the same header format as the original datagram • Each fragment is routed independently

18. How to fragment • IDENT: unique number to identify an IP datagram; fragments with the same identifier belong to the same IP datagram • Fragment offset: • Specify where the data belong in the original packet • Multiple of 8 • Use 13 bits (why do we only need 13 bits)

19. FLAGs: • Bit 0: reserved • Bit 1: do not fragment (if this bit is set and the MTU is not large enough, we send out ICMP to report this) • Bit 2: more fragment: this bit is turned off in the last segment. (why we need this bit: so we can calculate the length of the original packet)

21. Example: • Original packet: header + 400 + 400 + 400 • Header 1: FLAG = 001, OFFSET =0 • Header 2: FLAG = 001, OFFSET =400/8=50 • Header 3: FLAG = 000, OFFSET= 800/8=100

22. Fragment of fragment • Need to pay special attention of the FLAG bits • Reassemble • Reassembled before delivered to higher layers • Where to reassemble: router or destination, why?? (not only efficiency) • Use a timer to handle lost fragment and discard the whole packet

24. Malicious activities on fragmentation • What if we never receive the last piece • Overlapping fragment • The reassembled packet is larger than the allowed IP packet size (how can attackers do this)

25. Attack 1: DoS attack • 1st fragment: offset =0; • 2nd fragment: offset = 64800; • Result: now the machine will allocate 64K memory, and usually will hold it for 15 to 255 seconds. • Who are vulnerable: Win2K, XP, most versions of UNIX

26. Attack 2: TearDrop • Fist packet: • payload size N, • More fragment bit on • 2nd fragment: • More fragment bit off • Offset + payload < N • If the user assume that the packet should become longer and longer, may cause machine crash

27. Overlapping attacks against Firewall • Many firewalls inspect packet without reassemble. If the TCP header is fragmented and the filter rule is based on TCP, it may fail • Firewall examine the SYN bit • Tiny fragment attack: Firewall only check the first fragment. The minimum fragment is 68 bytes (ICMP requirement), but the SYN bit maybe fall into the 2nd fragment with IP option. • Overlapping attack: allow packet overlapping during reassemble. Then the checked segment may looks ok. But will be overlapped later.

28. IP spoofing • Spoofing • An attacker sends packet with another node’s IP address • Replies will be routed to the victim • Egress filtering • Remove packets that cannot come from your network • Ingress filtering • Remove packet from invalid address

29. Router and Host • Router usually connects to multiple networks • Host only connect to one • Routing table • Used by routers to determine next hop • When determining which entry to use, usually use the one with the longest match • Next hop routing • Destination IP address will not change, only the next hop’s MAC address is used

30. Default route • When no other entry matches the routing request • Routing procedure • Extract destination IP D and compute the network prefix N • Is N the same network • What is the routing entry with the longest match • What is the default route • Report error

31. Handling income packets • Host: accept or discard, Do not forward. Why? • Router: • Decrease TTL, recompute the checksum • If TTL = 0; drop the packet and send an error message to source