IP fragmentation attack

Last updated April 05, 2023

IP fragmentation attacks are a kind of computer security attack based on how the Internet Protocol (IP) requires data to be transmitted and processed. Specifically, it invokes IP fragmentation, a process used to partition messages (the service data unit (SDU); typically a packet) from one layer of a network into multiple smaller payloads that can fit within the lower layer's protocol data unit (PDU). Every network link has a maximum size of messages that may be transmitted, called the maximum transmission unit (MTU). If the SDU plus metadata added at the link layer exceeds the MTU, the SDU must be fragmented. IP fragmentation attacks exploit this process as an attack vector.

Part of the TCP/IP suite is the Internet Protocol (IP) which resides at the Internet Layer of this model. IP is responsible for the transmission of packets between network end points. IP includes some features which provide basic measures of fault-tolerance (time to live, checksum), traffic prioritization (type of service) and support for the fragmentation of larger packets into multiple smaller packets (ID field, fragment offset). The support for fragmentation of larger packets provides a protocol allowing routers to fragment a packet into smaller packets when the original packet is too large for the supporting datalink frames. IP fragmentation exploits (attacks) use the fragmentation protocol within IP as an attack vector.

According to [Kurose 2013], in one type of IP fragmentation attack "the attacker sends a stream of small fragments to the target host, none of which has an offset of zero. The target can collapse as it attempts to rebuild datagrams out of the degenerate packets."^[1] Another attack involves sending overlapping fragments with non-aligned offsets, which can render vulnerable operating systems not knowing what to do, causing some to crash.^[1]

Process

IP packets are encapsulated in datalink frames, and, therefore, the link MTU affects larger IP packets and forces them to be split into pieces equal to or smaller than the MTU size.

This can be accomplished by several approaches:

To set the IP packet size equal or smaller than the directly attached medium and delegate all further fragmentation of packets to routers, meaning that routers decide if the current packet should be re-fragmented or not. This offloads a lot of work on to routers, and can also result in packets being segmented by several IP routers one after another, resulting in very peculiar fragmentation.
To preview all links between source and destination and select the smallest MTU in this route, assuming there is a unique route. This way we make sure that the fragmentation is done by the sender, using a packet-size smaller than the selected MTU, and there is no further fragmentation en route. This solution, called Path MTU Discovery, allows a sender to fragment/segment a long Internet packet, rather than relying on routers to perform IP-level fragmentation. This is more efficient and more scalable. It is therefore the recommended method in the current Internet. The problem with this approach is that each packet is routed independently; they may well typically follow the same route, but they may not, and so a probe packet to determine fragmentation may follow a path different from paths taken by later packets.

Three fields in the IP header are used to implement fragmentation and reassembly. The "Identification", "Flags" and "Fragment Offset" fields.

IPv4 Header Format
Offsets	Octet	0								1								2								3
Octet	Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31
0	0	Version				IHL				DSCP						ECN		Total Length
4	32	Identification																Flags			Fragment Offset
8	64	Time To Live								Protocol								Header Checksum
12	96	Source IP Address
16	128	Destination IP Address
20	160	Options (if IHL > 5)
24	192
28	224
32	256

Flags:

A 3 bit field which says if the packet is a part of a fragmented data frame or not.

Bit 0: reserved, must be zero (unless packet is adhering to RFC 3514)

Bit 1: (AF) 0 = May Fragment, 1 = Don't Fragment.

Bit 2: (AF) 0 = Last Fragment, 1 = More Fragments.

Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
Field	0	DF	MF	Fragment Offset

Fragment Offset specifies the fragment's position within the original packet, measured in 8-byte units.

Accordingly, every fragment except the last must contain a multiple of 8 bytes of data. It is obvious that Fragment Offset can hold 8192 (2^13) units but the packet can't have 8192 * 8 = 65,536 bytes of data because "Total Length" field of IP header records the total size including the header and data. An IP header is at least 20 bytes long, so the maximum value for "Fragment Offset" is restricted to 8189, which leaves room for 3 bytes in the last fragment.

Because an IP internet can be connectionless, fragments from one packet may be interleaved with those from another at the destination. The "Identification field" uniquely identifies the fragments of a particular packet.

The source system sets "Identification" field in each packet to a unique value for all packets which use the same source IP address, destination IP address, and "Protocol" values, for the lifetime of the packet on the internet. This way the destination can distinguish which incoming fragments belong to a unique packet and buffer all of them until the last fragment is received. The last fragment sets the "More Fragment" bit to 0 and this tells the receiving station to start reassembling the data if all fragments have been received.

The following is a real-life fragmentation example:

The following was obtained using the Ethereal protocol analyzer to capture ICMP echo request packets. To simulate this open up a terminal and type ping ip_dest -n 1 -l 65000.

The results are as follows:

      No. Time      Source                Destination           Protocol Info       1 0.000000    87.247.163.96         66.94.234.13          ICMP     Echo (ping) request       2 0.000000    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=1480)       3 0.002929    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=2960)       4 6.111328    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=4440)       5 6.123046    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=5920)       6 6.130859    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=7400)       7 6.170898    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=8880)       8 6.214843    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=10360)       9 6.239257    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=11840)      10 6.287109    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=13320)      11 6.302734    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=14800)      12 6.327148    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=16280)      13 6.371093    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=17760)      14 6.395507    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=19240)      15 6.434570    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=20720)      16 6.455078    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=22200)      17 6.531250    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=23680)      18 6.550781    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=25160)      19 6.575195    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=26640)      20 6.615234    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=28120)      21 6.634765    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=29600)      22 6.659179    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=31080)      23 6.682617    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=32560)      24 6.699218    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=34040)      25 6.743164    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=35520)      26 6.766601    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=37000)      27 6.783203    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=38480)      28 6.806640    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=39960)      29 6.831054    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=41440)      30 6.850586    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=42920)      31 6.899414    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=44400)      32 6.915039    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=45880)      33 6.939453    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=47360)      34 6.958984    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=48840)      35 6.983398    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=50320)      36 7.023437    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=51800)      37 7.046875    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=53280)      38 7.067382    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=54760)      39 7.090820    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=56240)      40 7.130859    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=57720)      41 7.151367    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=59200)      42 7.174804    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=60680)      43 7.199218    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=62160)      44 7.214843    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=63640)      45 7.258789    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=65120)  The first packet details:       No.Time        Source                Destination          Protocol Info       1 0.000000    87.247.163.96         66.94.234.13          ICMP     Echo (ping) request  Frame 1 (1514 bytes on wire, 1514 bytes captured) Ethernet II, Src: OmronTat_00:00:00 (00:00:0a:00:00:00), Dst: 40:0f:20:00:0c:00 (40:0f:20:00:0c:00) Internet Protocol, Src: 87.247.163.96 (87.247.163.96), Dst: 66.94.234.13 (66.94.234.13) Internet Control Message Protocol     Type: 8 (Echo (ping) request)     Code: 0     Checksum: 0x6b7d     Identifier: 0x0600     Sequence number: 0x0200     Data (1472 bytes)  The second packet details:      No. Time        Source                Destination          Protocol Info       2 0.000000    87.247.163.96         66.94.234.13          IP       Fragmented IP protocol (proto=ICMP 0x01, off=1480)  Frame 2 (1514 bytes on wire, 1514 bytes captured) Ethernet II, Src: OmronTat_00:00:00 (00:00:0a:00:00:00), Dst: 40:0f:20:00:0c:00 (40:0f:20:00:0c:00) Internet Protocol, Src: 87.247.163.96 (87.247.163.96), Dst: 66.94.234.13 (66.94.234.13) Data (1480 bytes)

Note that only the first fragment contains the ICMP header and all remaining fragments are generated without the ICMP header.

Two important points here:

In some datalink protocols such as Ethernet, only the first fragment contains the full upper layer header, meaning that other fragments look like beheaded packets.
Additional overhead imposed over network because all fragments contains their own IP header. Additional overhead = (number_of_fragments - 1) * (ip_header_len);

Exploits

IP fragment overlapped: The IP fragment overlapped exploit occurs when two fragments contained within the same IP packet have offsets that indicate that they overlap each other in positioning within the packet. This could mean that either fragment A is being completely overwritten by fragment B, or that fragment A is partially being overwritten by fragment B. Some operating systems do not properly handle fragments that overlap in this manner and may throw exceptions or behave in other undesirable ways upon receipt of overlapping fragments. This is the basis for the teardrop attack. Overlapping fragments may also be used in an attempt to bypass Intrusion Detection Systems. In this exploit, part of an attack is sent in fragments along with additional random data; future fragments may overwrite the random data with the remainder of the attack. If the completed packet is not properly reassembled at the IDS, the attack will go undetected.
IP fragmentation buffer full: The IP fragmentation buffer full exploit occurs when there is an excessive amount of incomplete fragmented traffic detected on the protected network. This could be due to an excessive number of incomplete fragmented packets, a large number of fragments for individual packets or a combination of quantity of incomplete packets and size/number of fragments in each packet. This type of traffic is most likely an attempt to bypass security measures or Intrusion Detection Systems by intentional fragmentation of attack activity.
IP fragment overrun: The IP Fragment Overrun exploit is when a reassembled fragmented packet exceeds the declared IP data length or the maximum packet length. By definition, no IP packet should be larger than 65,535 bytes. Systems that try to process these large packets can crash, and can be indicative of a denial of service attempt.
IP fragment too many packets: The "Too Many Packets" exploit is identified by an excessive number of incomplete fragmented packet detected on the network. This is usually either a denial of service attack or an attempt to bypass security measures. An example of "Too Many Packets", "Incomplete Packet" and "Fragment Too Small" is the Rose Attack.^[2]
IP fragment incomplete packet: This exploit occurs when a packet can not be fully reassembled due to missing data. This can indicate a denial of service attack or an attempt to defeat packet filter security policies.
IP Fragment Too Small: If an IP fragment is too small it indicates that the fragment is likely intentionally crafted. Any fragment other than the final fragment that is less than 400 bytes could be considered too small. Small fragments may be used in denial of service attacks or in an attempt to bypass security measures or detection.

Fragmentation for evasion

Network infrastructure equipment such as routers, load-balancers, firewalls and IDS have inconsistent visibility into fragmented packets. For example, a device may subject the initial fragment to rigorous inspection and auditing, but might allow all additional fragments to pass unchecked. Some attacks may use this fact to evade detection by placing incriminating payload data in fragments. Devices operating in "full" proxy mode are generally not susceptible to this subterfuge.

Related Research Articles

The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when communicating with another IP address, for example, an error is indicated when a requested service is not available or that a host or router could not be reached. ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications.

Internet Protocol version 4 (IPv4) is the fourth version of the Internet Protocol (IP). It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. IPv4 was the first version deployed for production on SATNET in 1982 and on the ARPANET in January 1983. It is still used to route most Internet traffic today, even with the ongoing deployment of Internet Protocol version 6 (IPv6), its successor.

The Internet Protocol (IP) is the network layer communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet.

In computer networking, the maximum transmission unit (MTU) is the size of the largest protocol data unit (PDU) that can be communicated in a single network layer transaction. The MTU relates to, but is not identical to the maximum frame size that can be transported on the data link layer, e.g. Ethernet frame.

ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol (IP) network. It is available for virtually all operating systems that have networking capability, including most embedded network administration software.

The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP. TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network. Major internet applications such as the World Wide Web, email, remote administration, and file transfer rely on TCP, which is part of the Transport Layer of the TCP/IP suite. SSL/TLS often runs on top of TCP.

Trivial File Transfer Protocol (TFTP) is a simple lockstep File Transfer Protocol which allows a client to get a file from or put a file onto a remote host. One of its primary uses is in the early stages of nodes booting from a local area network. TFTP has been used for this application because it is very simple to implement.

The Point-to-Point Protocol over Ethernet (PPPoE) is a network protocol for encapsulating Point-to-Point Protocol (PPP) frames inside Ethernet frames. It appeared in 1999, in the context of the boom of DSL as the solution for tunneling packets over the DSL connection to the ISP's IP network, and from there to the rest of the Internet. A 2005 networking book noted that "Most DSL providers use PPPoE, which provides authentication, encryption, and compression." Typical use of PPPoE involves leveraging the PPP facilities for authenticating the user with a username and password, predominately via the PAP protocol and less often via CHAP. Around 2000, PPPoE was also starting to become a replacement method for talking to a modem connected to a computer or router over an Ethernet LAN displacing the older method, which had been USB. This use-case, connecting routers to modems over Ethernet is still extremely common today.

IP fragmentation is an Internet Protocol (IP) process that breaks packets into smaller pieces (fragments), so that the resulting pieces can pass through a link with a smaller maximum transmission unit (MTU) than the original packet size. The fragments are reassembled by the receiving host.

The maximum segment size (MSS) is a parameter of the options field of the TCP header that specifies the largest amount of data, specified in bytes, that a computer or communications device can receive in a single TCP segment. It does not count the TCP header or the IP header. The IP datagram containing a TCP segment may be self-contained within a single packet, or it may be reconstructed from several fragmented pieces; either way, the MSS limit applies to the total amount of data contained in the final, reconstructed TCP segment.

A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer.

Real-Time Messaging Protocol (RTMP) is a communication protocol for streaming audio, video, and data over the Internet. Originally developed as a proprietary protocol by Macromedia for streaming between Flash Player and the Flash Communication Server, Adobe has released an incomplete version of the specification of the protocol for public use.

In computer networking, jumbo frames are Ethernet frames with more than 1500 bytes of payload, the limit set by the IEEE 802.3 standard. Commonly, jumbo frames can carry up to 9000 bytes of payload, but smaller and larger variations exist and some care must be taken using the term. Many Gigabit Ethernet switches and Gigabit Ethernet network interface controllers and some Fast Ethernet switches and Fast Ethernet network interface cards can support jumbo frames.

Path MTU Discovery (PMTUD) is a standardized technique in computer networking for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP fragmentation. PMTUD was originally intended for routers in Internet Protocol Version 4 (IPv4). However, all modern operating systems use it on endpoints. In IPv6, this function has been explicitly delegated to the end points of a communications session. As an extension to the standard path MTU discovery, a technique called Packetization Layer Path MTU Discovery works without support from ICMP.

6in4 is an IPv6 transition mechanism for migrating from Internet Protocol version 4 (IPv4) to IPv6. It is a tunneling protocol that encapsulates IPv6 packets on specially configured IPv4 links according to the specifications of RFC 4213. The IP protocol number for 6in4 is 41, per IANA reservation.

An IP header is header information at the beginning of an Internet Protocol (IP) packet. An IP packet is the smallest message entity exchanged via the Internet Protocol across an IP network. IP packets consist of a header for addressing and routing, and a payload for user data. The header contains information about IP version, source IP address, destination IP address, time-to-live, etc. The payload of an IP packet is typically a datagram or segment of the higher-level transport layer protocol, but may be data for an internet layer or link layer instead.

IP in IP is an IP tunneling protocol that encapsulates one IP packet in another IP packet. To encapsulate an IP packet in another IP packet, an outer header is added with Source IP, the entry point of the tunnel, and Destination IP, the exit point of the tunnel. While doing this, the inner packet is unmodified. The Don't Fragment and the Type Of Service fields should be copied to the outer packet. If the packet size, including the outer header, is greater than the Path MTU, the encapsulator fragments the packet. The decapsulator will reassemble the packet.

An IPv6 packet is the smallest message entity exchanged using Internet Protocol version 6 (IPv6). Packets consist of control information for addressing and routing and a payload of user data. The control information in IPv6 packets is subdivided into a mandatory fixed header and optional extension headers. The payload of an IPv6 packet is typically a datagram or segment of the higher-level transport layer protocol, but may be data for an internet layer or link layer instead.

Generic Stream Encapsulation, or GSE for short, is a Data link layer protocol defined by DVB. GSE provides means to carry packet oriented protocols such as IP on top of uni-directional physical layers such as DVB-S2, DVB-T2 and DVB-C2.

IPv4 Residual Deployment (4rd) is an IPv6 transition mechanism for Internet service providers for deployment of Internet Protocol version 6 (IPv6), while maintaining IPv4 service to customers. The protocol and sample applications are specified in RFC 7600.

References

1 2 Kurose, James F. (2013). Computer Networking: A Top-down Approach. Ross, Keith W., 1956- (6th ed.). Boston: Pearson. p. 338. ISBN 9780132856201. OCLC 769141382.
↑ Hollis, Ken. "The Rose Fragmentation Attack Explained". Archived from the original on 2012-02-24. Retrieved 2013-11-25.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[:0-1] 1 2 Kurose, James F. (2013). Computer Networking: A Top-down Approach. Ross, Keith W., 1956- (6th ed.). Boston: Pearson. p. 338. ISBN 9780132856201. OCLC 769141382.

[2] Hollis, Ken. "The Rose Fragmentation Attack Explained". Archived from the original on 2012-02-24. Retrieved 2013-11-25.

[1]

[2]