ITIS 6167/8167: Network and Information Security Weichao Wang

Contents IP fragmentation and attacks IP protocol IP fragmentation Mitigation mechanisms

IP protocol and fragmentation IP layer provides the fundamental service in Internet: unreliable, connectionless, and best-effort based packet delivery Unreliable: packet may lost, duplicated, delayed, out of order Connectionless: every packet is handled independently Best-effort: no quality guarantee

IP protocol will Define the format of IP packet Routing Determine Packet processing procedures Error reporting and handling procedures When the packets can be discarded

IP encapsulation In ethernet, frame type for IP is 0x0800 IP header IP Data

IP format

Details of IP packet Vers: current version is 4 HLEN: header length in 32 bit word. Usually is 5 (20 byte), max can be 60 bytes (IP options) Type of services: usually all 0 (best effort), can be used for diffserv and QoS. 3 bit of precedence, 4 bit of TOS, 1 bit unused TOS bit 1 (min delay), 2 (max throughput), 3 (max reliability), 4 (min cost) Total length: 16 bit can represent 64K byte long packet

TTL: time to live: number of routers or seconds a packet can live. Identification, flags, and offset: used for fragmentation and reassemble (later) TTL: time to live: number of routers or seconds a packet can live. Every router will reduce this value by one. When reach 0, the packet will be discarded. Can be used to prevent routing loop Use TTL to implement traceroute

-bash-3.1$ ping -i 7 dell.com PING dell.com (143.166.224.244) 56(84) bytes of data. From kcm-edge-15.inet.qwest.net (65.120.164.89) icmp_seq=1 Time to live exceeded From kcm-edge-15.inet.qwest.net (65.120.164.89) icmp_seq=2 Time to live exceeded

Type: the high level protocol the IP packet contains: ICMP (0x01), TCP (0x06), UDP (0x11) Header checksum: calculate only over header Re-compute at every hop (why) Example: an ICMP packet b/w 128.10.2.3 and 128.10.2.8. Header length is 20 bytes.

IP header options Record route option Timestamp option Intermediate routers will attach their IP address to the packet Timestamp option Intermediate router attach 32 bit timestamp Source routing option Strict source routing Loose source routing: allow multiple hops b/w routers

IP fragmentation Why do we need it MTU: maximum transmission unit An IP packet can be as large as 65535 byte Different hardware have different MTU: ethernet 1500, FDDI 4470

IP fragmentation Routers divide an IP datagram into several smaller fragments based on MTU Fragments use the same header format as the original datagram Each fragment is routed independently

How to fragment IDENT: unique number to identify an IP datagram; fragments with the same identifier belong to the same IP datagram Fragment offset: Specify where the data belong in the original packet Multiple of 8 Use 13 bits (why do we only need 13 bits)

FLAGs: Bit 0: reserved Bit 1: do not fragment (if this bit is set and the MTU is not large enough, we send out ICMP to report this) Bit 2: more fragment: this bit is turned off in the last segment. (why we need this bit: so we can calculate the length of the original packet)

Example: Original packet: header + 400 + 400 + 400 Header 1: FLAG = 001, OFFSET =0 Header 2: FLAG = 001, OFFSET =400/8=50 Header 3: FLAG = 000, OFFSET= 800/8=100

Fragment of fragment Reassemble Need to pay special attention of the FLAG bits Reassemble Reassembled before delivered to higher layers Where to reassemble: router or destination, why?? (not only efficiency) Use a timer to handle lost fragment and discard the whole packet

Malicious activities on fragmentation What if we never receive the last piece Overlapping fragment The reassembled packet is larger than the allowed IP packet size (how can attackers do this)

Attack 1: DoS attack 1st fragment: offset =0; 2nd fragment: offset = 64800; Result: now the machine will allocate 64K memory, and usually will hold it for 15 to 255 seconds. Who are vulnerable: Win2K, XP, most versions of UNIX

Attack 2: TearDrop Fist packet: 2nd fragment: payload size N, More fragment bit on 2nd fragment: More fragment bit off Offset + payload < N If the user assume that the packet should become longer and longer, may cause machine crash

Overlapping attacks against Firewall Many firewalls inspect packet without reassemble. If the TCP header is fragmented and the filter rule is based on TCP, it may fail Firewall examine the SYN bit Tiny fragment attack: Firewall only check the first fragment. The minimum fragment is 68 bytes (ICMP requirement), but the SYN bit maybe fall into the 2nd fragment with IP option. Overlapping attack: allow packet overlapping during reassemble. Then the checked segment may looks ok. But will be overlapped later.

IP spoofing Spoofing Egress filtering Ingress filtering An attacker sends packet with another node’s IP address Replies will be routed to the victim Egress filtering Remove packets that cannot come from your network Ingress filtering Remove packet from invalid address

Router and Host Routing table Next hop routing Router usually connects to multiple networks Host only connect to one Routing table Used by routers to determine next hop When determining which entry to use, usually use the one with the longest match Next hop routing Destination IP address will not change, only the next hop’s MAC address is used

Default route Routing procedure When no other entry matches the routing request Routing procedure Extract destination IP D and compute the network prefix N Is N the same network What is the routing entry with the longest match What is the default route Report error

Handling income packets Host: accept or discard, Do not forward. Why? Router: Decrease TTL, recompute the checksum If TTL = 0; drop the packet and send an error message to source