1. ITIS 6167/8167: Network and Information Security
Weichao Wang

2. Contents IP fragmentation and attacks IP protocol IP fragmentation
Mitigation mechanisms

4. IP protocol and fragmentation
IP layer provides the fundamental service in Internet: unreliable, connectionless, and best-effort based packet delivery
Unreliable: packet may lost, duplicated, delayed, out of order
Connectionless: every packet is handled independently
Best-effort: no quality guarantee

5. IP protocol will Define the format of IP packet Routing Determine
Packet processing procedures
Error reporting and handling procedures
When the packets can be discarded

6. IP encapsulation In ethernet, frame type for IP is 0x0800
IP header IP Data

7. IP format

8. Details of IP packet Vers: current version is 4
HLEN: header length in 32 bit word. Usually is 5 (20 byte), max can be 60 bytes (IP options)
Type of services: usually all 0 (best effort), can be used for diffserv and QoS.
3 bit of precedence, 4 bit of TOS, 1 bit unused
TOS bit 1 (min delay), 2 (max throughput), 3 (max reliability), 4 (min cost)
Total length: 16 bit can represent 64K byte long packet

9. TTL: time to live: number of routers or seconds a packet can live.
Identification, flags, and offset: used for fragmentation and reassemble (later)
TTL: time to live: number of routers or seconds a packet can live.
Every router will reduce this value by one. When reach 0, the packet will be discarded.
Can be used to prevent routing loop
Use TTL to implement traceroute

10. -bash-3.1$ ping -i 7 dell.com
PING dell.com ( ) 56(84) bytes of data.
From kcm-edge-15.inet.qwest.net ( ) icmp_seq=1 Time to live exceeded
From kcm-edge-15.inet.qwest.net ( ) icmp_seq=2 Time to live exceeded

11. Type: the high level protocol the IP packet contains: ICMP (0x01), TCP (0x06), UDP (0x11)
Header checksum:
calculate only over header
Re-compute at every hop (why)
Example: an ICMP packet b/w and Header length is 20 bytes.

13. IP header options Record route option Timestamp option
Intermediate routers will attach their IP address to the packet
Timestamp option
Intermediate router attach 32 bit timestamp
Source routing option
Strict source routing
Loose source routing: allow multiple hops b/w routers

15. IP fragmentation Why do we need it MTU: maximum transmission unit
An IP packet can be as large as byte
Different hardware have different MTU: ethernet 1500, FDDI 4470

17. IP fragmentation
Routers divide an IP datagram into several smaller fragments based on MTU
Fragments use the same header format as the original datagram
Each fragment is routed independently

18. How to fragment
IDENT: unique number to identify an IP datagram; fragments with the same identifier belong to the same IP datagram
Fragment offset:
Specify where the data belong in the original packet
Multiple of 8
Use 13 bits (why do we only need 13 bits)

19. FLAGs:
Bit 0: reserved
Bit 1: do not fragment (if this bit is set and the MTU is not large enough, we send out ICMP to report this)
Bit 2: more fragment: this bit is turned off in the last segment. (why we need this bit: so we can calculate the length of the original packet)

21. Example: Original packet: header + 400 + 400 + 400
Header 1: FLAG = 001, OFFSET =0
Header 2: FLAG = 001, OFFSET =400/8=50
Header 3: FLAG = 000, OFFSET= 800/8=100

22. Fragment of fragment Reassemble
Need to pay special attention of the FLAG bits
Reassemble
Reassembled before delivered to higher layers
Where to reassemble: router or destination, why?? (not only efficiency)
Use a timer to handle lost fragment and discard the whole packet

24. Malicious activities on fragmentation
What if we never receive the last piece
Overlapping fragment
The reassembled packet is larger than the allowed IP packet size (how can attackers do this)

25. Attack 1: DoS attack 1st fragment: offset =0;
2nd fragment: offset = 64800;
Result: now the machine will allocate 64K memory, and usually will hold it for 15 to 255 seconds.
Who are vulnerable: Win2K, XP, most versions of UNIX

26. Attack 2: TearDrop Fist packet: 2nd fragment:
payload size N,
More fragment bit on
2nd fragment:
More fragment bit off
Offset + payload < N
If the user assume that the packet should become longer and longer, may cause machine crash

27. Overlapping attacks against Firewall
Many firewalls inspect packet without reassemble. If the TCP header is fragmented and the filter rule is based on TCP, it may fail
Firewall examine the SYN bit
Tiny fragment attack: Firewall only check the first fragment. The minimum fragment is 68 bytes (ICMP requirement), but the SYN bit maybe fall into the 2nd fragment with IP option.
Overlapping attack: allow packet overlapping during reassemble. Then the checked segment may looks ok. But will be overlapped later.

28. IP spoofing Spoofing Egress filtering Ingress filtering
An attacker sends packet with another node’s IP address
Replies will be routed to the victim
Egress filtering
Remove packets that cannot come from your network
Ingress filtering
Remove packet from invalid address

29. Router and Host Routing table Next hop routing
Router usually connects to multiple networks
Host only connect to one
Routing table
Used by routers to determine next hop
When determining which entry to use, usually use the one with the longest match
Next hop routing
Destination IP address will not change, only the next hop’s MAC address is used

30. Default route Routing procedure
When no other entry matches the routing request
Routing procedure
Extract destination IP D and compute the network prefix N
Is N the same network
What is the routing entry with the longest match
What is the default route
Report error

31. Handling income packets
Host: accept or discard, Do not forward. Why?
Router:
Decrease TTL, recompute the checksum
If TTL = 0; drop the packet and send an error message to source