1 / 31

ITIS 6167/8167: Network and Information Security

This document delves into the intricacies of the Internet Protocol (IP), focusing on IP fragmentation and associated security threats. It describes how IP, which is connectionless and best-effort oriented, handles packet delivery, including fragmentation based on Maximum Transmission Unit (MTU) size. The document details the structure of IP packets, the role of the Time To Live (TTL) field, and potential attack vectors such as DoS and TearDrop attacks. Furthermore, it emphasizes the importance of implementing effective mitigation mechanisms to protect against malicious activities targeting IP fragmentation.

ophrah
Télécharger la présentation

ITIS 6167/8167: Network and Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ITIS 6167/8167: Network and Information Security Weichao Wang

  2. Contents • IP fragmentation and attacks • IP protocol • IP fragmentation • Attacks • Mitigation mechanisms

  3. IP protocol and fragmentation • IP layer provides the fundamental service in Internet: unreliable, connectionless, and best-effort based packet delivery • Unreliable: packet may lost, duplicated, delayed, out of order • Connectionless: every packet is handled independently • Best-effort: no quality guarantee

  4. IP protocol will • Define the format of IP packet • Routing • Determine • Packet processing procedures • Error reporting and handling procedures • When the packets can be discarded

  5. IP encapsulation • In ethernet, frame type for IP is 0x0800 IP header IP Data

  6. IP format

  7. Details of IP packet • Vers: current version is 4 • HLEN: header length in 32 bit word. Usually is 5 (20 byte), max can be 60 bytes (IP options) • Type of services: usually all 0 (best effort), can be used for diffserv and QoS. • 3 bit of precedence, 4 bit of TOS, 1 bit unused • TOS bit 1 (min delay), 2 (max throughput), 3 (max reliability), 4 (min cost) • Total length: 16 bit can represent 64K byte long packet

  8. Identification, flags, and offset: used for fragmentation and reassemble (later) • TTL: time to live: number of routers or seconds a packet can live. • Every router will reduce this value by one. When reach 0, the packet will be discarded. • Can be used to prevent routing loop • Use TTL to implement traceroute

  9. -bash-3.1$ ping -i 7 dell.com PING dell.com (143.166.224.244) 56(84) bytes of data. From kcm-edge-15.inet.qwest.net (65.120.164.89) icmp_seq=1 Time to live exceeded From kcm-edge-15.inet.qwest.net (65.120.164.89) icmp_seq=2 Time to live exceeded

  10. Type: the high level protocol the IP packet contains: ICMP (0x01), TCP (0x06), UDP (0x11) • Header checksum: • calculate only over header • Re-compute at every hop (why) • Example: an ICMP packet b/w 128.10.2.3 and 128.10.2.8. Header length is 20 bytes.

  11. IP header options • Record route option • Intermediate routers will attach their IP address to the packet • Timestamp option • Intermediate router attach 32 bit timestamp • Source routing option • Strict source routing • Loose source routing: allow multiple hops b/w routers

  12. IP fragmentation • Why do we need it • MTU: maximum transmission unit • An IP packet can be as large as 65535 byte • Different hardware have different MTU: ethernet 1500, FDDI 4470

  13. IP fragmentation • Routers divide an IP datagram into several smaller fragments based on MTU • Fragments use the same header format as the original datagram • Each fragment is routed independently

  14. How to fragment • IDENT: unique number to identify an IP datagram; fragments with the same identifier belong to the same IP datagram • Fragment offset: • Specify where the data belong in the original packet • Multiple of 8 • Use 13 bits (why do we only need 13 bits)

  15. FLAGs: • Bit 0: reserved • Bit 1: do not fragment (if this bit is set and the MTU is not large enough, we send out ICMP to report this) • Bit 2: more fragment: this bit is turned off in the last segment. (why we need this bit: so we can calculate the length of the original packet)

  16. Example: • Original packet: header + 400 + 400 + 400 • Header 1: FLAG = 001, OFFSET =0 • Header 2: FLAG = 001, OFFSET =400/8=50 • Header 3: FLAG = 000, OFFSET= 800/8=100

  17. Fragment of fragment • Need to pay special attention of the FLAG bits • Reassemble • Reassembled before delivered to higher layers • Where to reassemble: router or destination, why?? (not only efficiency) • Use a timer to handle lost fragment and discard the whole packet

  18. Malicious activities on fragmentation • What if we never receive the last piece • Overlapping fragment • The reassembled packet is larger than the allowed IP packet size (how can attackers do this)

  19. Attack 1: DoS attack • 1st fragment: offset =0; • 2nd fragment: offset = 64800; • Result: now the machine will allocate 64K memory, and usually will hold it for 15 to 255 seconds. • Who are vulnerable: Win2K, XP, most versions of UNIX

  20. Attack 2: TearDrop • Fist packet: • payload size N, • More fragment bit on • 2nd fragment: • More fragment bit off • Offset + payload < N • If the user assume that the packet should become longer and longer, may cause machine crash

  21. Overlapping attacks against Firewall • Many firewalls inspect packet without reassemble. If the TCP header is fragmented and the filter rule is based on TCP, it may fail • Firewall examine the SYN bit • Tiny fragment attack: Firewall only check the first fragment. The minimum fragment is 68 bytes (ICMP requirement), but the SYN bit maybe fall into the 2nd fragment with IP option. • Overlapping attack: allow packet overlapping during reassemble. Then the checked segment may looks ok. But will be overlapped later.

  22. IP spoofing • Spoofing • An attacker sends packet with another node’s IP address • Replies will be routed to the victim • Egress filtering • Remove packets that cannot come from your network • Ingress filtering • Remove packet from invalid address

  23. Router and Host • Router usually connects to multiple networks • Host only connect to one • Routing table • Used by routers to determine next hop • When determining which entry to use, usually use the one with the longest match • Next hop routing • Destination IP address will not change, only the next hop’s MAC address is used

  24. Default route • When no other entry matches the routing request • Routing procedure • Extract destination IP D and compute the network prefix N • Is N the same network • What is the routing entry with the longest match • What is the default route • Report error

  25. Handling income packets • Host: accept or discard, Do not forward. Why? • Router: • Decrease TTL, recompute the checksum • If TTL = 0; drop the packet and send an error message to source

More Related